(RADIATOR) RadSec and IPv6?

Patrick Renkens p.renkens at uci.ru.nl
Fri Jul 7 04:52:19 CDT 2006 

Hi all,

We have succesfully set up RadSec over IPv4 with Radiator 3.15, see 
configuration details at the end of this mail.
At this stage we use RadSec to transport accounting records in a save 
way. It runs smoothly.

However we would like to setup RadSec over IPv6.
When we use the correct IPv6 addresses with the 'Host' statement, we get 
errors like below.

Is this a problem concerning the RadSec implementation of a certificate 
problem?

Any other relevant information:
- We use the same certificates for IPv4 and IPv6.
- Both systems run Solaris 5.9 and Radiator 3.15.
- DNS for IPv4 and IPv6 is correctly configured, including reverse.
- There is no firewall problem, TCP port 2083 is open either way.


DEBUG: Stream attempting tcp connection to ipv6:...:2083
DEBUG: Stream connection in progress to ipv6:...:2083
DEBUG: Stream connected to ipv6:...:2083
DEBUG: StreamTLS sessionInit for ipv6:...
DEBUG: StreamTLS SSL_connect result: -1, 2, 4384
DEBUG: StreamTLS Client Started for ipv6:...:2083
DEBUG: Verifying certificate with Subject '/C=NL/O=.../OU=.../CN=...' 
presented by peer ipv6:...
ERR: Verification of certificate presented by ipv6:... failed
DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
ERR: StreamTLS client error: -1, 1, 4401,  24610: 1 - error:14090086:SSL 
routines:SSL3_GET_
SERVER_CERTIFICATE:certificate verify failed



<AuthBy RADSEC>
         Identifier              ACCOUNTING
         Host                    ipv4 hostname and domain
         Port                    2083
         Protocol                tcp
         Secret                  ...
         UseTLS                  1
         TLS_CAFile              %D/cert/ca.crt
         TLS_CertificateFile     %D/cert/'host.domain'.crt
         TLS_CertificateType     PEM
         TLS_PrivateKeyFile      %D/cert/'host.domain'.key
         IgnoreAuthentication
         IgnoreAccountingResponse
</AuthBy>



BindAddress     0.0.0.0,ipv6:...
<ServerRADSEC>
         Port                    2083
         Protocol                tcp
         UseTLS
         TLS_CAFile              %D/cert/ca.crt
         TLS_CertificateFile     %D/cert/'host.domain'.crt
         TLS_CertificateType     PEM
         TLS_PrivateKeyFile      %D/cert/'host.domain'.key
         TLS_RequireClientCert
         TLS_SessionResumption   0
         Secret                  ...
         Identifier              RADSEC
</ServerRADSEC>

-- 

Kind regards,
Patrick Renkens
   Centre for Information Services (UCI)
   Radboud University Nijmegen, Netherlands
   E-mail: p.renkens at uci.ru.nl
   http://www.ru.nl/uci


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list