[RADIATOR] Logging verify error from EAPTLS_CertificateVerifyFailedHook in AuthLog

Tuure Vartiainen vartiait at open.com.au
Tue Feb 27 13:45:35 UTC 2018


> On 27 Feb 2018, at 15.22, Christian Kratzer <ck at cksoft.de> wrote:
> as a business requirement we have implemented following EAPTLS_CertificateVerifyFailedHook to return success on broken expired or missing CRL for TLS authentication with client certificates.
> This is working as follows:
>    sub {
>        my $verify_error = $_[0];
>        my $p = $_[5];
>        &main::log($main::LOG_DEBUG, "EAPTLS_CertificateVerifyFailedHook: verify_error: $verify_error");
>        # save verify error to reply for auth logging
>        $p->{EAPContext}->{EAPTLS_Session}->{verify_error} = Radius::TLS::verify_error_string($verify_error);
>        # return success on specific verification error
> 	#  3   => 'unable to get certificate CRL',
> 	#  12   => 'CRL has expired',
>        if( $verify_error==3 || $verify_error==12 ) {
>            return 0;
>        }
>        # otherwise pass through original error
>        return $verify_error;
>    }
> we also need to log the verify_error in the Handlers authlog.
> For that we are attempting to store the verify error inside the EAP Session.
> When trying to access the value from an AuthLogFileHook using %{EAPTLS:verify_error} the value is missing.
> Any suggestions how we could pass the error from EAPTLS_CertificateVerifyFailedHook back into an AuthLogFileHook ?

did you test both access and reject?

Looking at the code, without testing this myself, I would assume that verify_error is available 
when logging a reject but not when logging an accept?

$p->{EAPContext}->{EAPTLS_Session} does not actually exist before accepting TLS connection, 
after which it is assigned in Radius::TLS::get_session_info() and that assignment overwrites verify_error 
assigned in your EAPTLS_CertificateVerifyFailedHook.

A workaround is to save verify_error in $p->{internal_vars}->{my_tls_verify_error} and log it by using %{RequestVar:my_tls_verify_error}.

Tuure Vartiainen <vartiait at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list