[RADIATOR] RADSEC error after upgrade from Radiator 4.3.1 to Radiator 4.4
Mike McCauley
mikem at open.com.au
Mon Sep 14 16:28:50 CDT 2009
Hello Patrick,
Thanks for your note.
The latest patch set contains a number of fixes for problems associated with
subjectAltName and ipv6 addresses, both of which you seem to be using.
I think we would need to seed the relevant parts of the config file, and maybe
some more uncut detail from the log file (send it privately, if you wish) to
be sure, but I suspect that the fixes are now rejecting a certificate that
was previously being incorrectly accepted. You may need to adjust your config
to work with the fixed code.
Cheers.
On Wednesday 09 September 2009 11:45:24 pm Patrick Renkens wrote:
> Hi all,
>
> Today I upgraded Radiator from 4.3.1 to 4.4 on a SUN Solaris 5.9 system.
> After the upgrade the RADSEC connection over IPv6 did not work properly
> any more. See a piece of the logging below.
> No changes were made to the config files.
> I know that Net_SSLeay.pm is a module that can be a pain in the neck, we
> use version 1.30.
>
> I had to revert to 4.3.1 to make things work again (without changing
> config files).
>
> Any help is appreciated.
>
> Kind regards,
> Patrick Renkens
> Centre for Information Services (UCI)
> Radboud University Nijmegen, Netherlands
>
>
>
>
>
> Wed Sep 9 14:58:09 2009: DEBUG: Stream attempting tcp connection to #
> ipv6:<cut>:2083
> Wed Sep 9 14:58:09 2009: DEBUG: Stream connection in progress to #
> ipv6:<cut>:2083
> Wed Sep 9 14:58:09 2009: DEBUG: Stream connected to # ipv6:<cut>:2083
> Wed Sep 9 14:58:09 2009: DEBUG: StreamTLS sessionInit for # ipv6:<cut>
> Wed Sep 9 14:58:09 2009: DEBUG: StreamTLS SSL_connect result: -1, 2, 4384
> Wed Sep 9 14:58:09 2009: DEBUG: StreamTLS Client Started for #
> ipv6:<cut>:2083
> Wed Sep 9 14:58:09 2009: DEBUG: Verifying certificate with Subject
> '/DC=net/DC=geant/O=<cut> BV/CN=<cut>' presented by peer # ipv6:<cut>
> Wed Sep 9 14:58:09 2009: DEBUG: Checking subjectAltName type 2, value
> <cut> Wed Sep 9 14:58:09 2009: DEBUG: Checking subjectAltName type 6,
> value
> https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:idp:E
>urope:<cut>:<cut> Wed Sep 9 14:58:09 2009: DEBUG: Checking subjectAltName
> type 6, value
> https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Eu
>rope:<cut>:<cut> Wed Sep 9 14:58:09 2009: ERR: Verification of certificate
> presented by # ipv6:<cut> failed
> Wed Sep 9 14:58:09 2009: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
> Wed Sep 9 14:58:09 2009: ERR: StreamTLS client error: -1, 1, 4401,
> 27968: 1 - error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Wed Sep 9 14:58:09 2009: DEBUG: Stream disconnected from # ipv6:<cut>:2083
>
>
>
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full source
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list