[RADIATOR] Logging verify error from EAPTLS_CertificateVerifyFailedHook in AuthLog

Tuure Vartiainen vartiait at open.com.au
Tue Feb 27 13:45:35 UTC 2018 

Hi,

> On 27 Feb 2018, at 15.22, Christian Kratzer <ck at cksoft.de> wrote:
> 
> as a business requirement we have implemented following EAPTLS_CertificateVerifyFailedHook to return success on broken expired or missing CRL for TLS authentication with client certificates.
> 
> This is working as follows:
> 
>    sub {
>        my $verify_error = $_[0];
>        my $p = $_[5];
> 
>        &main::log($main::LOG_DEBUG, "EAPTLS_CertificateVerifyFailedHook: verify_error: $verify_error");
> 
>        # save verify error to reply for auth logging
>        $p->{EAPContext}->{EAPTLS_Session}->{verify_error} = Radius::TLS::verify_error_string($verify_error);
> 
>        # return success on specific verification error
> 	#  3   => 'unable to get certificate CRL',
> 	#  12   => 'CRL has expired',
>        if( $verify_error==3 || $verify_error==12 ) {
>            return 0;
>        }
> 
>        # otherwise pass through original error
>        return $verify_error;
>    }
> 
> we also need to log the verify_error in the Handlers authlog.
> 
> For that we are attempting to store the verify error inside the EAP Session.
> 
> When trying to access the value from an AuthLogFileHook using %{EAPTLS:verify_error} the value is missing.
> 
> Any suggestions how we could pass the error from EAPTLS_CertificateVerifyFailedHook back into an AuthLogFileHook ?
> 

did you test both access and reject?

Looking at the code, without testing this myself, I would assume that verify_error is available 
when logging a reject but not when logging an accept?

$p->{EAPContext}->{EAPTLS_Session} does not actually exist before accepting TLS connection, 
after which it is assigned in Radius::TLS::get_session_info() and that assignment overwrites verify_error 
assigned in your EAPTLS_CertificateVerifyFailedHook.

A workaround is to save verify_error in $p->{internal_vars}->{my_tls_verify_error} and log it by using %{RequestVar:my_tls_verify_error}.


BR
-- 
Tuure Vartiainen <vartiait at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list