Hello Patrick, thanks for reporting this. This would occur if the remote host name was specified in the form ipv6:hostname and the certificate name was for 'hostname'.
It should now be fixed in the latest patch set. We apologise for any inconvenience. Cheers. On Monday 24 January 2011 10:36:52 pm Patrick Renkens wrote: > Hi all, > > Radsec in combination with IPv6 keeps troubling me. > This weekend I upgraded Radiator from version 4.4 to 4.7 and since then > the Radsec-connections won't work over IPv6. I had to switch back to > IPv4 to get it running again. > Both systems, Radsec server and client and server run Radiator 4.7 on > RHEL. RHEL 5.4 on clients side and RHEL 5.5 on server side. I only > upgraded de client side. The server that acts as Radsec-server was > already running Radiator 4.7. > > Personally I think it is not OS related, I experienced the same problems > on Solaris 5.9 and 5.10 before. > > Below you find the error-message and the relevant configuration parts. > > Any help is appreciated. > > > > > Sat Jan 22 16:35:41 2011: DEBUG: verifyFn start, hostname ipv6:'host' > Sat Jan 22 16:35:41 2011: DEBUG: verifyFn hostname after canonicalise > Sat Jan 22 16:35:41 2011: DEBUG: Verifying certificate with Subject > '/DC=net/DC=geant/O=SURFnet BV/CN=host' presented by peer ipv6:'host' > Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 2, value > 'host' against > Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value > https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:idp:E >urope:SURFnet:'host' against > Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value > https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Eu >rope:SURFnet:'host' against > Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value > https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Eu >rope:SURFnet:SURFnet-office against > Sat Jan 22 16:35:41 2011: ERR: Verification of certificate presented by > ipv6:'host' failed > Sat Jan 22 16:35:41 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401 > Sat Jan 22 16:35:41 2011: ERR: StreamTLS client error: -1, 1, 4401, > 9303: 1 - error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Sat Jan 22 16:35:41 2011: DEBUG: Stream disconnected from ipv6:'host':2083 > > > > #RADSEC client side: > <Handler Realm=/^'realm'$/i> > # RewriteUsername s/^([^@]+).*/$1/ > <AuthBy RADSEC> > Host ipv6:'hostname' > Port 2083 > Secret <cut> > UseTLS > TLS_CertificateType PEM > TLS_CAPath %D/certs/cacert > TLS_CertificateFile %D/certs/%h.pem > TLS_PrivateKeyFile %D/certs/%h.pem > </AuthBy> > </Handler> > > #RADSEC serverside: > <ServerRADSEC> > Port 2083 > UseTLS > TLS_CAFile %D/cert/edugain/cacert/xxxxxx.pem > TLS_CertificateFile %D/cert/edugain/yyyyyy.pem > TLS_CertificateType PEM > TLS_PrivateKeyFile %D/cert/edugain/yyyyyy.pem > TLS_RequireClientCert > TLS_SessionResumption 0 > Secret <cut> > Identifier RADSEC > </ServerRADSEC> > > > > Kind regards, > Patrick Renkens > Centre for Information Services (UCI) > Radboud University Nijmegen, Netherlands > > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley [email protected] Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
