[RADIATOR] Logging verify error from EAPTLS_CertificateVerifyFailedHook in AuthLog
Christian Kratzer
ck at cksoft.de
Tue Feb 27 15:42:03 UTC 2018
Hi,
On Tue, 27 Feb 2018, Tuure Vartiainen wrote:
> Hi,
>
>> On 27 Feb 2018, at 15.22, Christian Kratzer <ck at cksoft.de> wrote:
>>
>> as a business requirement we have implemented following EAPTLS_CertificateVerifyFailedHook to return success on broken expired or missing CRL for TLS authentication with client certificates.
>>
>> This is working as follows:
>>
>> sub {
>> my $verify_error = $_[0];
>> my $p = $_[5];
>>
>> &main::log($main::LOG_DEBUG, "EAPTLS_CertificateVerifyFailedHook: verify_error: $verify_error");
>>
>> # save verify error to reply for auth logging
>> $p->{EAPContext}->{EAPTLS_Session}->{verify_error} = Radius::TLS::verify_error_string($verify_error);
>>
>> # return success on specific verification error
>> # 3 => 'unable to get certificate CRL',
>> # 12 => 'CRL has expired',
>> if( $verify_error==3 || $verify_error==12 ) {
>> return 0;
>> }
>>
>> # otherwise pass through original error
>> return $verify_error;
>> }
>>
>> we also need to log the verify_error in the Handlers authlog.
>>
>> For that we are attempting to store the verify error inside the EAP Session.
>>
>> When trying to access the value from an AuthLogFileHook using %{EAPTLS:verify_error} the value is missing.
>>
>> Any suggestions how we could pass the error from EAPTLS_CertificateVerifyFailedHook back into an AuthLogFileHook ?
>>
>
> did you test both access and reject?
>
> Looking at the code, without testing this myself, I would assume that verify_error is available
> when logging a reject but not when logging an accept?
we are only interested in logging the verify_error when there actually is a verification failure.
> $p->{EAPContext}->{EAPTLS_Session} does not actually exist before accepting TLS connection,
> after which it is assigned in Radius::TLS::get_session_info() and that assignment overwrites verify_error
> assigned in your EAPTLS_CertificateVerifyFailedHook.
>
> A workaround is to save verify_error in $p->{internal_vars}->{my_tls_verify_error} and log it by using %{RequestVar:my_tls_verify_error}.
we changed our code to be as follows and also removed the change of return code to simplify:
sub {
my $verify_error = $_[0];
my $p = $_[5];
&main::log($main::LOG_DEBUG, "EAPTLS_CertificateVerifyFailedHook: verify_error: $verify_error");
$p->{internal_vars}->{my_tls_verify_error} = $verify_error;
if( $verify_error==3 || $verify_error==12 ) {
return 0;
}
return $verify_error;
}
this results in following logging that proves the hook actually runs:
Tue Feb 27 16:15:47 2018 564213: DEBUG: Certificate verification failure reason: unable to get certificate CRL
Tue Feb 27 16:15:47 2018 564321: DEBUG: EAPTLS_CertificateVerifyFailedHook: verify_error: 3
We still cannot acess the error from the logging hook with %{RequestVar:my_tls_verify_error}
There is a difference if we remove our return 0 to the EAPTLS_CertificateVerifyFailedHook.
In that case the Reply-Message reflects the error
sub {
my $verify_error = $_[0];
my $p = $_[5];
&main::log($main::LOG_DEBUG, "EAPTLS_CertificateVerifyFailedHook: verify_error: $verify_error");
$p->{internal_vars}->{my_tls_verify_error} = $verify_error;
return $verify_error;
}
Tue Feb 27 16:19:40 2018 327336: INFO: Access rejected for host/test1: TLS Alert acknowledged: unable to get certificate CRL, certificate verify failed
Tue Feb 27 16:19:40 2018 329219: DEBUG: Packet dump:
*** Sending to ::1 port 59597 ....
Code: Access-Reject
Identifier: 8
Authentic: v&<166>G<185><143>;<241>jl<154><15><237><16><31><25>
Attributes:
EAP-Message = <4><7><0><4>
Message-Authenticator = ~<234>0<19>]<133><171><228><160><23><184>E<173>\i<188>
Reply-Message = "TLS Alert acknowledged: unable to get certificate CRL, certificate verify failed"
But we still cannot access %{RequestVar:my_tls_verify_error} from the auth logging hook in the handler.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck at cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
More information about the radiator
mailing list