Hi Heikki,

some hours of debugging and testing later:

Radiator 4.19 is now running together with the german NREN upstream radsecproxy, but I don't know what went wrong yesterday, sic!

Yesterday I see the following lines in the debug file:

Mon Aug 7 16:14:02 2017 030094: DEBUG: Radius::ServerRADSEC FROM-DFN-PROXY setting TLS protocols to: TLSv1.2 Mon Aug 7 16:14:02 2017 030455: DEBUG: Radius::ServerRADSEC FROM-DFN-PROXY setting TLS_Ciphers to: DEFAULT:!EXPORT:!LOW
and then the output stopped until I switched back to 4.17 this morning.

Today, after a lot of local tests and well prepared to switch back, I started again 4.19 and the debug output looks now OK:

Tue Aug 8 16:08:53 2017 919196: DEBUG: Radius::ServerRADSEC FROM-DFN-PROXY setting TLS protocols to: TLSv1.2 Tue Aug 8 16:08:53 2017 919756: DEBUG: Radius::ServerRADSEC FROM-DFN-PROXY setting TLS_Ciphers to: DEFAULT:!EXPORT:!LOW Tue Aug 8 16:09:48 2017 760686: DEBUG: StreamServer: New connection from 193.174.XX.YY:43818 Tue Aug 8 16:09:48 2017 761077: DEBUG: Stream connected to 193.174.XX.YY (193.174.XX.YY:43818) Tue Aug 8 16:09:48 2017 761305: DEBUG: StreamTLS sessionInit for 193.174.XX.YY Tue Aug 8 16:09:48 2017 761870: DEBUG: StreamTLS SSL_accept result: -1, 2, 8720 Tue Aug 8 16:09:48 2017 762140: DEBUG: StreamTLS Server Started for 193.174.XX.YY (193.174.XX.YY:43818) Tue Aug 8 16:09:48 2017 762303: DEBUG: New StreamServer Connection created for 193.174.XX.YY:43818 Tue Aug 8 16:09:48 2017 764352: DEBUG: StreamTLS SSL_accept result: -1, 2, 8576 Tue Aug 8 16:09:48 2017 777113: DEBUG: StreamServer: New connection from 193.174.XX.YY:56619 Tue Aug 8 16:09:48 2017 777344: DEBUG: Stream connected to 193.174.XX.YY (193.174.XX.YY:56619) Tue Aug 8 16:09:48 2017 777540: DEBUG: StreamTLS sessionInit for 193.174.XX.YY Tue Aug 8 16:09:48 2017 778054: DEBUG: StreamTLS SSL_accept result: -1, 2, 8720 Tue Aug 8 16:09:48 2017 778269: DEBUG: StreamTLS Server Started for 193.174.XX.YY (193.174.XX.YY:56619) Tue Aug 8 16:09:48 2017 778434: DEBUG: New StreamServer Connection created for 193.174.XX.YY:56619 Tue Aug 8 16:09:48 2017 779349: DEBUG: StreamTLS SSL_accept result: -1, 2, 8576 Tue Aug 8 16:09:48 2017 784983: DEBUG: verifyFn start, hostname 193.174.XX.YY Tue Aug 8 16:09:48 2017 785155: DEBUG: Verifying certificate with Subject '...RADIUSY' presented by peer 193.174.XX.YY Tue Aug 8 16:09:48 2017 785326: DEBUG: Checking subjectAltName type 2, value RADIUSY against 193.174.XX.YY Tue Aug 8 16:09:48 2017 785500: DEBUG: Certificate Subject matches TLS_ExpectedPeerName Tue Aug 8 16:09:48 2017 804628: DEBUG: StreamTLS SSL_accept result: -1, 2, 8608 Tue Aug 8 16:09:48 2017 805828: DEBUG: StreamTLS SSL_accept result: 1, 0, 3 Tue Aug 8 16:09:48 2017 807842: DEBUG: verifyFn start, hostname 193.174.XX.YY Tue Aug 8 16:09:48 2017 808009: DEBUG: Verifying certificate with Subject '...RADIUSX' presented by peer 193.174.XX.YY Tue Aug 8 16:09:48 2017 808180: DEBUG: Checking subjectAltName type 2, value RADIUSX against 193.174.XX.YY Tue Aug 8 16:09:48 2017 808339: DEBUG: Certificate Subject matches TLS_ExpectedPeerName Tue Aug 8 16:09:48 2017 827839: DEBUG: StreamTLS SSL_accept result: -1, 2, 8608 Tue Aug 8 16:09:48 2017 828973: DEBUG: StreamTLS SSL_accept result: 1, 0, 3

Am 08.08.2017 um 12:14 schrieb Heikki Vatiainen:
With 4.18 and later there will also be Message-Authenticator in the reply. This should be fine if the receiver respects RFC 5597 which allows Reply-Message and Message-Authenticator in Access-Accepts.

OK, this stopped my local Status-Server checks since my script blamed that there is an Attribute other than a Reply-Message, yeah, it was the added Message-Authenticator, that was easy, it was just Murphys law, that both Status-Server checks stalled, arrgh.

Now it looks fine, but please don't ask me what stopped the local NREN radsecproxies to talk to me after the restart yesterday.

Sorry, Heikki and thanks again

   Charly

PS: I used one Radiator process in my tests today to talk between AuthBy RADSEC and Server RADSEC, here is the cfg snippet:

#
BindAddress     127.0.0.1
#
#  different ports to production server
AuthPort        21812
AcctPort        21813

Trace           4
Foreground
LogStdout

############## NREN Proxy incoming tests ###############################
#

<ServerRADSEC>
    Identifier          MY-RADSEC-SERVER
    Port                22083
    Secret              radsec

    TLS_Protocols           TLSv1.2
    TLS_CAFile              FOO.pem
    TLS_CertificateFile     BAR.pem
    TLS_PrivateKeyFile      BAZ.key
    TLS_CertificateType     PEM

</ServerRADSEC>

<AuthBy RADSEC>
    Identifier          TEST-MY-RADSEC-SERVER
    Port                22083
    Secret              radsec

    UseStatusServerForFailureDetect
    KeepaliveTimeout        3

    LocalAddress            127.0.0.1
    Host                    127.0.0.1

    TLS_Protocols           TLSv1.2
    TLS_CAFile              FOO.pem
    TLS_ExpectedPeerName    CN=.*\.my-domain\.de

    TLS_CertificateType     PEM
    TLS_CertificateFile     BAR.pem
    TLS_PrivateKeyFile      BAZ.key

</AuthBy>

############## AuthBy modules ###########################################
#

<Client 127.0.0.1>
    Identifier          SERVICE_CHECK
    Secret              mysecret
</Client>

--
Karl Gaissmaier
Universit├Ąt Ulm
kiz, Kommunikations und Informationszentrum
89069 Ulm
Tel.: 49(0)731/50-22499
Fax : 49(0)731/50-12-22499

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to