Hi,
as a business requirement we have implemented following
EAPTLS_CertificateVerifyFailedHook to return success on broken expired or
missing CRL for TLS authentication with client certificates.
This is working as follows:
sub {
my $verify_error = $_[0];
my $p = $_[5];
&main::log($main::LOG_DEBUG, "EAPTLS_CertificateVerifyFailedHook:
verify_error: $verify_error");
# save verify error to reply for auth logging
$p->{EAPContext}->{EAPTLS_Session}->{verify_error} =
Radius::TLS::verify_error_string($verify_error);
# return success on specific verification error
# 3 => 'unable to get certificate CRL',
# 12 => 'CRL has expired',
if( $verify_error==3 || $verify_error==12 ) {
return 0;
}
# otherwise pass through original error
return $verify_error;
}
we also need to log the verify_error in the Handlers authlog.
For that we are attempting to store the verify error inside the EAP Session.
When trying to access the value from an AuthLogFileHook using
%{EAPTLS:verify_error} the value is missing.
Any suggestions how we could pass the error from
EAPTLS_CertificateVerifyFailedHook back into an AuthLogFileHook ?
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: [email protected] Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
_______________________________________________
radiator mailing list
[email protected]
http://lists.open.com.au/mailman/listinfo/radiator
