On 2015-07-16 15:07, Heikki Vatiainen wrote: > On 16.7.2015 13.42, Hartmaier Alexander wrote: > >> I couldn't find info about CEF and JSON logging in the reference manual, >> should be included at least as keywords with a pointer to the >> 'logformat.cfg' goodies file although I'd prefer having it in the main docs. > Good point. I'll see that CEF and JSON will be mentioned in ref.pdf > > The configuration sample file 'logformat.cfg' is mentioned where > LogFormatHook for Log FILE and AuthLog FILE are described. It's also > mentioned where AcctLogFileFormatHook for accounting messages is described. > > The configuration sample shows how to use the new module > Radius/LogFormat.pm. This module includes CEF and JSON authentication > log formatting and JSON accounting log formatting. > > There's also an example of how to use a custom module, possibly modified > from Radius/LogFormat.pm, to change the formatting or add new formats. I know because I was the one who requested the feature and wrote the Log module before you added the hook ;)
> >> Is there a way to log the used TLS version and cipher to find out which >> ones are in use before restricting it with the new EAPTLS_Protocols and >> EAPTLS_Ciphers config options? > I think the ciphers are the ones that can be listed with 'openssl > ciphers -v' these depend on the SSL/TLS library. Older OpenSSL versions > seem to have quite different set of ciphers than the most recent > LibreSSL for example. > > In other words the ciphers could be listed by radiusd, but you can also > see them from the command line. Also, new DEBUG level log message was > added to show which Net::SSLeay version and SSL/TLS libary is used to > make sure radiusd uses what you expect it to. > > The protocols also depend on what's compiled in the SSL/TLS library. I > think the recent LibreSSLs do not have SSLv3 support anymore. Are you > thinking about printing the available SSL/TLS versions before > restricting them? Note that for TLS based EAPs, TLSv1 is the minimum so > SSLv3 is not possible which means what you can use is TLSv1 or better. Yes I know. What I'd like to have is a way to *log* the actual chosen cipher per EAP-TLS connection, ideally in the AuthLog file. > > Thanks, > Heikki > Cheers, Alex *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator