[RADIATOR] Logging verify error from EAPTLS_CertificateVerifyFailedHook in AuthLog

Christian Kratzer ck at cksoft.de
Tue Feb 27 13:22:03 UTC 2018


as a business requirement we have implemented following EAPTLS_CertificateVerifyFailedHook to return success on broken expired or missing CRL for TLS authentication with client certificates.

This is working as follows:

     sub {
         my $verify_error = $_[0];
         my $p = $_[5];

         &main::log($main::LOG_DEBUG, "EAPTLS_CertificateVerifyFailedHook: verify_error: $verify_error");

         # save verify error to reply for auth logging
         $p->{EAPContext}->{EAPTLS_Session}->{verify_error} = Radius::TLS::verify_error_string($verify_error);

         # return success on specific verification error
 	#  3   => 'unable to get certificate CRL',
 	#  12   => 'CRL has expired',
         if( $verify_error==3 || $verify_error==12 ) {
             return 0;

         # otherwise pass through original error
         return $verify_error;

we also need to log the verify_error in the Handlers authlog.

For that we are attempting to store the verify error inside the EAP Session.

When trying to access the value from an AuthLogFileHook using %{EAPTLS:verify_error} the value is missing.

Any suggestions how we could pass the error from EAPTLS_CertificateVerifyFailedHook back into an AuthLogFileHook ?


Christian Kratzer                   CK Software GmbH
Email:   ck at cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/

More information about the radiator mailing list