[RADIATOR] Logging verify error from EAPTLS_CertificateVerifyFailedHook in AuthLog

Christian Kratzer ck at cksoft.de
Tue Feb 27 15:42:03 UTC 2018 

Hi,

On Tue, 27 Feb 2018, Tuure Vartiainen wrote:
> Hi,
>
>> On 27 Feb 2018, at 15.22, Christian Kratzer <ck at cksoft.de> wrote:
>>
>> as a business requirement we have implemented following EAPTLS_CertificateVerifyFailedHook to return success on broken expired or missing CRL for TLS authentication with client certificates.
>>
>> This is working as follows:
>>
>>    sub {
>>        my $verify_error = $_[0];
>>        my $p = $_[5];
>>
>>        &main::log($main::LOG_DEBUG, "EAPTLS_CertificateVerifyFailedHook: verify_error: $verify_error");
>>
>>        # save verify error to reply for auth logging
>>        $p->{EAPContext}->{EAPTLS_Session}->{verify_error} = Radius::TLS::verify_error_string($verify_error);
>>
>>        # return success on specific verification error
>> 	#  3   => 'unable to get certificate CRL',
>> 	#  12   => 'CRL has expired',
>>        if( $verify_error==3 || $verify_error==12 ) {
>>            return 0;
>>        }
>>
>>        # otherwise pass through original error
>>        return $verify_error;
>>    }
>>
>> we also need to log the verify_error in the Handlers authlog.
>>
>> For that we are attempting to store the verify error inside the EAP Session.
>>
>> When trying to access the value from an AuthLogFileHook using %{EAPTLS:verify_error} the value is missing.
>>
>> Any suggestions how we could pass the error from EAPTLS_CertificateVerifyFailedHook back into an AuthLogFileHook ?
>>
>
> did you test both access and reject?
>
> Looking at the code, without testing this myself, I would assume that verify_error is available
> when logging a reject but not when logging an accept?

we are only interested in logging the verify_error when there actually is a verification failure.


> $p->{EAPContext}->{EAPTLS_Session} does not actually exist before accepting TLS connection,
> after which it is assigned in Radius::TLS::get_session_info() and that assignment overwrites verify_error
> assigned in your EAPTLS_CertificateVerifyFailedHook.
>
> A workaround is to save verify_error in $p->{internal_vars}->{my_tls_verify_error} and log it by using %{RequestVar:my_tls_verify_error}.

we changed our code to be as follows and also removed the change of return code to simplify:

 	sub {
 	    my $verify_error = $_[0];
 	    my $p = $_[5];

 	    &main::log($main::LOG_DEBUG, "EAPTLS_CertificateVerifyFailedHook: verify_error: $verify_error");
 	    $p->{internal_vars}->{my_tls_verify_error} = $verify_error;
 	    if( $verify_error==3 || $verify_error==12 ) {
 	       return 0;
 	    }
 	    return $verify_error;
 	}


this results in following logging that proves the hook actually runs:

 	Tue Feb 27 16:15:47 2018 564213: DEBUG: Certificate verification failure reason: unable to get certificate CRL
 	Tue Feb 27 16:15:47 2018 564321: DEBUG: EAPTLS_CertificateVerifyFailedHook: verify_error: 3

We still cannot acess the error from the logging hook with %{RequestVar:my_tls_verify_error}

There is a difference if we remove our return 0 to the EAPTLS_CertificateVerifyFailedHook.

In that case the Reply-Message reflects the error

 	sub {
 	    my $verify_error = $_[0];
 	    my $p = $_[5];

 	    &main::log($main::LOG_DEBUG, "EAPTLS_CertificateVerifyFailedHook: verify_error: $verify_error");
 	    $p->{internal_vars}->{my_tls_verify_error} = $verify_error;
 	    return $verify_error;
 	}

 	Tue Feb 27 16:19:40 2018 327336: INFO: Access rejected for host/test1: TLS Alert acknowledged: unable to get certificate CRL, certificate verify failed
 	Tue Feb 27 16:19:40 2018 329219: DEBUG: Packet dump:
 	*** Sending to ::1 port 59597 ....
 	Code:       Access-Reject
 	Identifier: 8
 	Authentic:  v&<166>G<185><143>;<241>jl<154><15><237><16><31><25>
 	Attributes:
 		EAP-Message = <4><7><0><4>
 		Message-Authenticator = ~<234>0<19>]<133><171><228><160><23><184>E<173>\i<188>
 		Reply-Message = "TLS Alert acknowledged: unable to get certificate CRL, certificate verify failed"

But we still cannot access %{RequestVar:my_tls_verify_error} from the auth logging hook in the handler.

Greetings
Christian

-- 
Christian Kratzer                   CK Software GmbH
Email:   ck at cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/

More information about the radiator mailing list