Hi,
> On 27 Feb 2018, at 15.22, Christian Kratzer <[email protected]> wrote:
>
> as a business requirement we have implemented following
> EAPTLS_CertificateVerifyFailedHook to return success on broken expired or
> missing CRL for TLS authentication with client certificates.
>
> This is working as follows:
>
> sub {
> my $verify_error = $_[0];
> my $p = $_[5];
>
> &main::log($main::LOG_DEBUG, "EAPTLS_CertificateVerifyFailedHook:
> verify_error: $verify_error");
>
> # save verify error to reply for auth logging
> $p->{EAPContext}->{EAPTLS_Session}->{verify_error} =
> Radius::TLS::verify_error_string($verify_error);
>
> # return success on specific verification error
> # 3 => 'unable to get certificate CRL',
> # 12 => 'CRL has expired',
> if( $verify_error==3 || $verify_error==12 ) {
> return 0;
> }
>
> # otherwise pass through original error
> return $verify_error;
> }
>
> we also need to log the verify_error in the Handlers authlog.
>
> For that we are attempting to store the verify error inside the EAP Session.
>
> When trying to access the value from an AuthLogFileHook using
> %{EAPTLS:verify_error} the value is missing.
>
> Any suggestions how we could pass the error from
> EAPTLS_CertificateVerifyFailedHook back into an AuthLogFileHook ?
>
did you test both access and reject?
Looking at the code, without testing this myself, I would assume that
verify_error is available
when logging a reject but not when logging an accept?
$p->{EAPContext}->{EAPTLS_Session} does not actually exist before accepting TLS
connection,
after which it is assigned in Radius::TLS::get_session_info() and that
assignment overwrites verify_error
assigned in your EAPTLS_CertificateVerifyFailedHook.
A workaround is to save verify_error in
$p->{internal_vars}->{my_tls_verify_error} and log it by using
%{RequestVar:my_tls_verify_error}.
BR
--
Tuure Vartiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://lists.open.com.au/mailman/listinfo/radiator
