Larry Riffle <[EMAIL PROTECTED]> wrote:
> I'm trying to decide if this is just a couple of us doing something
> wrong or if check_cert_cn is broken.
It might be broken.
> Does anybody have it working on any platform? By "working" I mean when
> the CN doesn't match your server doesn't crash.
I haven't tested it.
> > 177 radlog(L_INFO, "--> User-Name = %s",
> > handler->identity);
The identity SHOULD NOT be NULL. The rest of the EAP code ensures
that IF the handler exists, THEN the identity is valid. I'm confused
by why this is happening at all...
Hmm.... in rlm_eap_tls.c, function eaptls_authenticate(), try adding
the following code at the top:
...
EAP_HANDLER *ssl_handler = SSL_get_ex_data(ssn->ssl, 0);
rad_assert(ssl_handler == handler);
...
If that assertion fails, then the problem is that the handler is
getting freed part-way through the SSL session, when it shouldn't be.
A hack to fix it would be to add one line to the top of that function:
SSL_set_ex_data(ssn->ssl, 0, handler);
That SHOULD work around the problem. If so, I'll commit a fix.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
