[RADIATOR] Radsec and IPv6 keeps troubling me

Patrick Renkens p.renkens at uci.ru.nl
Mon Jan 24 06:36:52 CST 2011 

Hi all,

Radsec in combination with IPv6 keeps troubling me.
This weekend I upgraded Radiator from version 4.4 to 4.7 and since then
the Radsec-connections won't work over IPv6. I had to switch back to
IPv4 to get it running again.
Both systems, Radsec server and client and server run Radiator 4.7 on
RHEL. RHEL 5.4 on clients side and RHEL 5.5 on server side. I only
upgraded de client side. The server that acts as Radsec-server was
already running Radiator 4.7.

Personally I think it is not OS related, I experienced the same problems
on Solaris 5.9 and 5.10 before.

Below you find the error-message and the relevant configuration parts.

Any help is appreciated.




Sat Jan 22 16:35:41 2011: DEBUG: verifyFn start, hostname ipv6:'host'
Sat Jan 22 16:35:41 2011: DEBUG: verifyFn hostname after canonicalise
Sat Jan 22 16:35:41 2011: DEBUG: Verifying certificate with Subject
'/DC=net/DC=geant/O=SURFnet BV/CN=host' presented by peer ipv6:'host'
Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 2, value
'host' against
Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value
https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:idp:Europe:SURFnet:'host'
against
Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value
https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Europe:SURFnet:'host'
against
Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value
https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Europe:SURFnet:SURFnet-office
against
Sat Jan 22 16:35:41 2011: ERR: Verification of certificate presented by
ipv6:'host' failed
Sat Jan 22 16:35:41 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
Sat Jan 22 16:35:41 2011: ERR: StreamTLS client error: -1, 1, 4401,
9303: 1 - error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Sat Jan 22 16:35:41 2011: DEBUG: Stream disconnected from ipv6:'host':2083



#RADSEC client side:
<Handler Realm=/^'realm'$/i>
        # RewriteUsername         s/^([^@]+).*/$1/
        <AuthBy RADSEC>
                Host                    ipv6:'hostname'
                Port                    2083
                Secret                  <cut>
                UseTLS
                TLS_CertificateType     PEM
                TLS_CAPath              %D/certs/cacert
                TLS_CertificateFile     %D/certs/%h.pem
                TLS_PrivateKeyFile      %D/certs/%h.pem
        </AuthBy>
</Handler>

#RADSEC serverside:
<ServerRADSEC>
        Port                    2083
        UseTLS
        TLS_CAFile              %D/cert/edugain/cacert/xxxxxx.pem
        TLS_CertificateFile     %D/cert/edugain/yyyyyy.pem
        TLS_CertificateType     PEM
        TLS_PrivateKeyFile      %D/cert/edugain/yyyyyy.pem
        TLS_RequireClientCert
        TLS_SessionResumption   0
        Secret                  <cut>
        Identifier              RADSEC
</ServerRADSEC>



Kind regards,
Patrick Renkens
  Centre for Information Services (UCI)
  Radboud University Nijmegen, Netherlands

More information about the radiator mailing list