Hi,

> On 27 Feb 2018, at 15.22, Christian Kratzer <c...@cksoft.de> wrote:
> 
> as a business requirement we have implemented following 
> EAPTLS_CertificateVerifyFailedHook to return success on broken expired or 
> missing CRL for TLS authentication with client certificates.
> 
> This is working as follows:
> 
>    sub {
>        my $verify_error = $_[0];
>        my $p = $_[5];
> 
>        &main::log($main::LOG_DEBUG, "EAPTLS_CertificateVerifyFailedHook: 
> verify_error: $verify_error");
> 
>        # save verify error to reply for auth logging
>        $p->{EAPContext}->{EAPTLS_Session}->{verify_error} = 
> Radius::TLS::verify_error_string($verify_error);
> 
>        # return success on specific verification error
>       #  3   => 'unable to get certificate CRL',
>       #  12   => 'CRL has expired',
>        if( $verify_error==3 || $verify_error==12 ) {
>            return 0;
>        }
> 
>        # otherwise pass through original error
>        return $verify_error;
>    }
> 
> we also need to log the verify_error in the Handlers authlog.
> 
> For that we are attempting to store the verify error inside the EAP Session.
> 
> When trying to access the value from an AuthLogFileHook using 
> %{EAPTLS:verify_error} the value is missing.
> 
> Any suggestions how we could pass the error from 
> EAPTLS_CertificateVerifyFailedHook back into an AuthLogFileHook ?
> 

did you test both access and reject?

Looking at the code, without testing this myself, I would assume that 
verify_error is available 
when logging a reject but not when logging an accept?

$p->{EAPContext}->{EAPTLS_Session} does not actually exist before accepting TLS 
connection, 
after which it is assigned in Radius::TLS::get_session_info() and that 
assignment overwrites verify_error 
assigned in your EAPTLS_CertificateVerifyFailedHook.

A workaround is to save verify_error in 
$p->{internal_vars}->{my_tls_verify_error} and log it by using 
%{RequestVar:my_tls_verify_error}.


BR
-- 
Tuure Vartiainen <varti...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to