[RADIATOR] Radiator Version 4.15 released - security fixes and enhancements

Hartmaier Alexander alexander.hartmaier at t-systems.at
Thu Jul 16 10:10:48 CDT 2015

On 2015-07-16 15:07, Heikki Vatiainen wrote:
> On 16.7.2015 13.42, Hartmaier Alexander wrote:
>> I couldn't find info about CEF and JSON logging in the reference manual,
>> should be included at least as keywords with a pointer to the
>> 'logformat.cfg' goodies file although I'd prefer having it in the main docs.
> Good point. I'll see that CEF and JSON will be mentioned in ref.pdf
> The configuration sample file 'logformat.cfg' is mentioned where
> LogFormatHook for Log FILE and AuthLog FILE are described. It's also
> mentioned where AcctLogFileFormatHook for accounting messages is described.
> The configuration sample shows how to use the new module
> Radius/LogFormat.pm. This module includes CEF and JSON authentication
> log formatting and JSON accounting log formatting.
> There's also an example of how to use a custom module, possibly modified
> from Radius/LogFormat.pm, to change the formatting or add new formats.
I know because I was the one who requested the feature and wrote the Log
module before you added the hook ;)

>> Is there a way to log the used TLS version and cipher to find out which
>> ones are in use before restricting it with the new EAPTLS_Protocols and
>> EAPTLS_Ciphers config options?
> I think the ciphers are the ones that can be listed with 'openssl
> ciphers -v' these depend on the SSL/TLS library. Older OpenSSL versions
> seem to have quite different set of ciphers than the most recent
> LibreSSL for example.
> In other words the ciphers could be listed by radiusd, but you can also
> see them from the command line. Also, new DEBUG level log message was
> added to show which Net::SSLeay version and SSL/TLS libary is used to
> make sure radiusd uses what you expect it to.
> The protocols also depend on what's compiled in the SSL/TLS library. I
> think the recent LibreSSLs do not have SSLv3 support anymore. Are you
> thinking about printing the available SSL/TLS versions before
> restricting them? Note that for TLS based EAPs, TLSv1 is the minimum so
> SSLv3 is not possible which means what you can use is TLSv1 or better.
Yes I know. What I'd like to have is a way to *log* the actual chosen
cipher per EAP-TLS connection, ideally in the AuthLog file.

> Thanks,
> Heikki
Cheers, Alex

T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.

More information about the radiator mailing list