[RADIATOR] Radsec and IPv6 keeps troubling me
Patrick Renkens
p.renkens at uci.ru.nl
Tue Jan 25 04:24:46 CST 2011
Hi Mike,
I've installed the latest patches, starting with the systems that act as
a RADSEC-client. Problem solved.
Thanks a lot for this quick fix!
Kind regards,
Patrick Renkens
Centre for Information Services (UCI)
Radboud University Nijmegen, Netherlands
Op 24-1-2011 22:36, Mike McCauley schreef:
> Hello Patrick,
>
> thanks for reporting this.
> This would occur if the remote host name was specified in the form
> ipv6:hostname and the certificate name was for 'hostname'.
>
> It should now be fixed in the latest patch set.
> We apologise for any inconvenience.
>
> Cheers.
>
> On Monday 24 January 2011 10:36:52 pm Patrick Renkens wrote:
>> Hi all,
>>
>> Radsec in combination with IPv6 keeps troubling me.
>> This weekend I upgraded Radiator from version 4.4 to 4.7 and since then
>> the Radsec-connections won't work over IPv6. I had to switch back to
>> IPv4 to get it running again.
>> Both systems, Radsec server and client and server run Radiator 4.7 on
>> RHEL. RHEL 5.4 on clients side and RHEL 5.5 on server side. I only
>> upgraded de client side. The server that acts as Radsec-server was
>> already running Radiator 4.7.
>>
>> Personally I think it is not OS related, I experienced the same problems
>> on Solaris 5.9 and 5.10 before.
>>
>> Below you find the error-message and the relevant configuration parts.
>>
>> Any help is appreciated.
>>
>>
>>
>>
>> Sat Jan 22 16:35:41 2011: DEBUG: verifyFn start, hostname ipv6:'host'
>> Sat Jan 22 16:35:41 2011: DEBUG: verifyFn hostname after canonicalise
>> Sat Jan 22 16:35:41 2011: DEBUG: Verifying certificate with Subject
>> '/DC=net/DC=geant/O=SURFnet BV/CN=host' presented by peer ipv6:'host'
>> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 2, value
>> 'host' against
>> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value
>> https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:idp:E
>> urope:SURFnet:'host' against
>> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value
>> https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Eu
>> rope:SURFnet:'host' against
>> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value
>> https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Eu
>> rope:SURFnet:SURFnet-office against
>> Sat Jan 22 16:35:41 2011: ERR: Verification of certificate presented by
>> ipv6:'host' failed
>> Sat Jan 22 16:35:41 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
>> Sat Jan 22 16:35:41 2011: ERR: StreamTLS client error: -1, 1, 4401,
>> 9303: 1 - error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>
>> Sat Jan 22 16:35:41 2011: DEBUG: Stream disconnected from ipv6:'host':2083
>>
>>
>>
>> #RADSEC client side:
>> <Handler Realm=/^'realm'$/i>
>> # RewriteUsername s/^([^@]+).*/$1/
>> <AuthBy RADSEC>
>> Host ipv6:'hostname'
>> Port 2083
>> Secret <cut>
>> UseTLS
>> TLS_CertificateType PEM
>> TLS_CAPath %D/certs/cacert
>> TLS_CertificateFile %D/certs/%h.pem
>> TLS_PrivateKeyFile %D/certs/%h.pem
>> </AuthBy>
>> </Handler>
>>
>> #RADSEC serverside:
>> <ServerRADSEC>
>> Port 2083
>> UseTLS
>> TLS_CAFile %D/cert/edugain/cacert/xxxxxx.pem
>> TLS_CertificateFile %D/cert/edugain/yyyyyy.pem
>> TLS_CertificateType PEM
>> TLS_PrivateKeyFile %D/cert/edugain/yyyyyy.pem
>> TLS_RequireClientCert
>> TLS_SessionResumption 0
>> Secret <cut>
>> Identifier RADSEC
>> </ServerRADSEC>
>>
>>
>>
>> Kind regards,
>> Patrick Renkens
>> Centre for Information Services (UCI)
>> Radboud University Nijmegen, Netherlands
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
More information about the radiator
mailing list