[RADIATOR] Radsec and IPv6 keeps troubling me
Mike McCauley
mikem at open.com.au
Mon Jan 24 15:36:13 CST 2011
Hello Patrick,
thanks for reporting this.
This would occur if the remote host name was specified in the form
ipv6:hostname and the certificate name was for 'hostname'.
It should now be fixed in the latest patch set.
We apologise for any inconvenience.
Cheers.
On Monday 24 January 2011 10:36:52 pm Patrick Renkens wrote:
> Hi all,
>
> Radsec in combination with IPv6 keeps troubling me.
> This weekend I upgraded Radiator from version 4.4 to 4.7 and since then
> the Radsec-connections won't work over IPv6. I had to switch back to
> IPv4 to get it running again.
> Both systems, Radsec server and client and server run Radiator 4.7 on
> RHEL. RHEL 5.4 on clients side and RHEL 5.5 on server side. I only
> upgraded de client side. The server that acts as Radsec-server was
> already running Radiator 4.7.
>
> Personally I think it is not OS related, I experienced the same problems
> on Solaris 5.9 and 5.10 before.
>
> Below you find the error-message and the relevant configuration parts.
>
> Any help is appreciated.
>
>
>
>
> Sat Jan 22 16:35:41 2011: DEBUG: verifyFn start, hostname ipv6:'host'
> Sat Jan 22 16:35:41 2011: DEBUG: verifyFn hostname after canonicalise
> Sat Jan 22 16:35:41 2011: DEBUG: Verifying certificate with Subject
> '/DC=net/DC=geant/O=SURFnet BV/CN=host' presented by peer ipv6:'host'
> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 2, value
> 'host' against
> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value
> https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:idp:E
>urope:SURFnet:'host' against
> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value
> https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Eu
>rope:SURFnet:'host' against
> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value
> https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Eu
>rope:SURFnet:SURFnet-office against
> Sat Jan 22 16:35:41 2011: ERR: Verification of certificate presented by
> ipv6:'host' failed
> Sat Jan 22 16:35:41 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
> Sat Jan 22 16:35:41 2011: ERR: StreamTLS client error: -1, 1, 4401,
> 9303: 1 - error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>
> Sat Jan 22 16:35:41 2011: DEBUG: Stream disconnected from ipv6:'host':2083
>
>
>
> #RADSEC client side:
> <Handler Realm=/^'realm'$/i>
> # RewriteUsername s/^([^@]+).*/$1/
> <AuthBy RADSEC>
> Host ipv6:'hostname'
> Port 2083
> Secret <cut>
> UseTLS
> TLS_CertificateType PEM
> TLS_CAPath %D/certs/cacert
> TLS_CertificateFile %D/certs/%h.pem
> TLS_PrivateKeyFile %D/certs/%h.pem
> </AuthBy>
> </Handler>
>
> #RADSEC serverside:
> <ServerRADSEC>
> Port 2083
> UseTLS
> TLS_CAFile %D/cert/edugain/cacert/xxxxxx.pem
> TLS_CertificateFile %D/cert/edugain/yyyyyy.pem
> TLS_CertificateType PEM
> TLS_PrivateKeyFile %D/cert/edugain/yyyyyy.pem
> TLS_RequireClientCert
> TLS_SessionResumption 0
> Secret <cut>
> Identifier RADSEC
> </ServerRADSEC>
>
>
>
> Kind regards,
> Patrick Renkens
> Centre for Information Services (UCI)
> Radboud University Nijmegen, Netherlands
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
More information about the radiator
mailing list