[RADIATOR] Radsec and IPv6 keeps troubling me
Patrick Renkens
p.renkens at uci.ru.nl
Mon Jan 24 06:36:52 CST 2011
Hi all,
Radsec in combination with IPv6 keeps troubling me.
This weekend I upgraded Radiator from version 4.4 to 4.7 and since then
the Radsec-connections won't work over IPv6. I had to switch back to
IPv4 to get it running again.
Both systems, Radsec server and client and server run Radiator 4.7 on
RHEL. RHEL 5.4 on clients side and RHEL 5.5 on server side. I only
upgraded de client side. The server that acts as Radsec-server was
already running Radiator 4.7.
Personally I think it is not OS related, I experienced the same problems
on Solaris 5.9 and 5.10 before.
Below you find the error-message and the relevant configuration parts.
Any help is appreciated.
Sat Jan 22 16:35:41 2011: DEBUG: verifyFn start, hostname ipv6:'host'
Sat Jan 22 16:35:41 2011: DEBUG: verifyFn hostname after canonicalise
Sat Jan 22 16:35:41 2011: DEBUG: Verifying certificate with Subject
'/DC=net/DC=geant/O=SURFnet BV/CN=host' presented by peer ipv6:'host'
Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 2, value
'host' against
Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value
https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:idp:Europe:SURFnet:'host'
against
Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value
https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Europe:SURFnet:'host'
against
Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value
https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Europe:SURFnet:SURFnet-office
against
Sat Jan 22 16:35:41 2011: ERR: Verification of certificate presented by
ipv6:'host' failed
Sat Jan 22 16:35:41 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
Sat Jan 22 16:35:41 2011: ERR: StreamTLS client error: -1, 1, 4401,
9303: 1 - error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Jan 22 16:35:41 2011: DEBUG: Stream disconnected from ipv6:'host':2083
#RADSEC client side:
<Handler Realm=/^'realm'$/i>
# RewriteUsername s/^([^@]+).*/$1/
<AuthBy RADSEC>
Host ipv6:'hostname'
Port 2083
Secret <cut>
UseTLS
TLS_CertificateType PEM
TLS_CAPath %D/certs/cacert
TLS_CertificateFile %D/certs/%h.pem
TLS_PrivateKeyFile %D/certs/%h.pem
</AuthBy>
</Handler>
#RADSEC serverside:
<ServerRADSEC>
Port 2083
UseTLS
TLS_CAFile %D/cert/edugain/cacert/xxxxxx.pem
TLS_CertificateFile %D/cert/edugain/yyyyyy.pem
TLS_CertificateType PEM
TLS_PrivateKeyFile %D/cert/edugain/yyyyyy.pem
TLS_RequireClientCert
TLS_SessionResumption 0
Secret <cut>
Identifier RADSEC
</ServerRADSEC>
Kind regards,
Patrick Renkens
Centre for Information Services (UCI)
Radboud University Nijmegen, Netherlands
More information about the radiator
mailing list