[RADIATOR] TLS Session Resumption Issue

Christian Kratzer ck at cksoft.de
Tue Feb 27 16:05:16 UTC 2018 

Hi,

we have another issue also related to storing data between requests. This time
we need to store something between individual sessions with tls session resumption.

The business logic in this setup dictates that we need to pass the certicate issuer and
policy to an external authenticator backend.

We extract the certicate issuer and policy in EAPTLS_CertificateVerifyHook and store them in EAPContext

 	sub {
 		my $matchedcn = $_[0];
 		my $cert = $_[2];
 		my $p = $_[5];

 		my $context = $p->{EAPContext};

 		use Net::SSLeay;
 		use Radius::Context;

 		# get issuer
 		my $issuer = &Net::SSLeay::X509_NAME_oneline(&Net::SSLeay::X509_get_issuer_name($cert));
 		&main::log($main::LOG_DEBUG, "auth-certificate.hook: Peer certificate issuer: $issuer");
 		$context->{'issuer'} = $issuer;

 		# get policies
 		my $rv = Net::SSLeay::X509_get_ext_by_NID($cert, 89, -1);
 		if($rv>=0) {
 			my $ext = Net::SSLeay::X509_get_ext($cert, $rv);
 			my $policies = Net::SSLeay::X509V3_EXT_print($ext);
 			$policies =~ s/.*: //g;
 			chomp $policies;
 			&main::log($main::LOG_DEBUG, "auth-certificate.hook: Peer certificate policies: $policies");
 			$context->{'policies'} = $policies;
 		} else {
 			&main::log($main::LOG_DEBUG, "auth-certificate.hook: Peer certificate policies not found.");
 		}

 		return $matchedcn;
 	}

We are then able to map the issuer and policy into the request in the respective AuthBys AuthHook

         if( defined $request->{EAPContext} ) {
             my $eap_context = $request->{EAPContext};
             if( defined $eap_context->{'issuer'} ) {
                 my $issuer = $eap_context->{'issuer'};
                 $request->add_attr('MY-ISSUER',$issuer) ;
                 &main::log($main::LOG_DEBUG, "auth.hook: Peer certificate issuer: $issuer");
             }
             if( defined $eap_context->{'policies'} ) {
                 my $policies = $eap_context->{'policies'};
                 $request->add_attr('MY-POLICY',$policies) ;
                 &main::log($main::LOG_DEBUG, "auth.hook: Peer certificate policies: $policies");
             }
         }

This works well to allow us to authenticate the first session of EAP_TLS


 	Tue Feb 27 15:26:03 2018 897279: DEBUG: Handling request with Handler 'EAP-Message = /^.{4}\x0d/', Identifier 'TLSauth'
 	Tue Feb 27 15:26:03 2018 897443: DEBUG:  Deleting session for host/FOO-0013.d.XXXX.XX, UNKNOWN, 37765
 	Tue Feb 27 15:26:03 2018 897579: DEBUG: Handling with Radius::AuthFILE: FILEauthTLS
 	Tue Feb 27 15:26:03 2018 897822: DEBUG: Handling with EAP: code 2, 79, 706, 13
 	Tue Feb 27 15:26:03 2018 897959: DEBUG: Response type 13
 	Tue Feb 27 15:26:03 2018 898479: DEBUG: Certificate Issuer Name is /CN=XXX XXXXXX D.XXXX.XX
 	Tue Feb 27 15:26:03 2018 898558: DEBUG: Certificate Subject Name is /CN=FOO-0013.d.XXXX.XX
 	Tue Feb 27 15:26:03 2018 898667: DEBUG: Matched certificate CN FOO-0013.d.XXXX.XX with User-Name host/FOO-0013.d.XXXX.XX or identity host/FOO-0013.d.XXXX.XX
 	Tue Feb 27 15:26:03 2018 898803: DEBUG: Reading users file /etc/radiator/users-tls
 	Tue Feb 27 15:26:03 2018 898967: DEBUG: Radius::AuthFILE looks for match with FOO-0013.d.XXXX.XX [host/FOO-0013.d.XXXX.XX]
 	Tue Feb 27 15:26:03 2018 899080: DEBUG: Radius::AuthFILE REJECT: No such user: FOO-0013.d.XXXX.XX [host/FOO-0013.d.XXXX.XX]
 	Tue Feb 27 15:26:03 2018 899226: DEBUG: Radius::AuthFILE looks for match with DEFAULT [host/FOO-0013.d.XXXX.XX]
 	Tue Feb 27 15:26:03 2018 899332: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [host/FOO-0013.d.XXXX.XX]
 	Tue Feb 27 15:26:03 2018 899424: DEBUG: auth-certificate.hook: Peer certificate issuer: /CN=XXX XXXXXX D.XXXX.XX
 	Tue Feb 27 15:26:03 2018 899563: DEBUG: auth-certificate.hook: Peer certificate policies: 1.3.6.1.4.1.311.21.8.6992180.11062261.15289225.13702945.3968342.62.3648519909.238800916
 	Tue Feb 27 15:26:03 2018 901521: DEBUG: EAP TLS Session accepted: TLSv1.2 AES256-GCM-SHA384
 	Tue Feb 27 15:26:03 2018 901778: DEBUG: EAP result: 3, EAP TLS Challenge
 	Tue Feb 27 15:26:03 2018 901910: DEBUG: AuthBy FILE result: CHALLENGE, EAP TLS Challenge
 	Tue Feb 27 15:26:03 2018 902077: DEBUG: postauth.hook: authprotocol: EAP
 	Tue Feb 27 15:26:03 2018 902165: DEBUG: Access challenged for host/FOO-0013.d.XXXX.XX: EAP TLS Challenge

on resumption we see that resumption works

 	Tue Feb 27 15:27:02 2018 992212: DEBUG: Handling request with Handler 'EAP-Message = /^.{4}\x0d/', Identifier 'TLSauth'
 	Tue Feb 27 15:27:02 2018 992432: DEBUG:  Deleting session for host/FOO-0013.d.XXXX.XX, UNKNOWN, 37765
 	Tue Feb 27 15:27:02 2018 992713: DEBUG: Handling with Radius::AuthFILE: FILEauthTLS
 	Tue Feb 27 15:27:02 2018 993127: DEBUG: Handling with EAP: code 2, 78, 61, 13
 	Tue Feb 27 15:27:02 2018 993220: DEBUG: Response type 13
 	Tue Feb 27 15:27:02 2018 993548: DEBUG: EAP TLS Session accepted: TLSv1.2 AES256-GCM-SHA384
 	Tue Feb 27 15:27:02 2018 993743: DEBUG: EAP TLS session resumed

But the auth.hook cannot access issuer and policy in the EAPContext and later authorization fails because they are missing.

The question is how can we store the two strings extracted in EAPTLS_CertificateVerifyHook on first connect so they are 
available for use on session resumption.

Sorry about all the obfuscation.  This configuration is rather complex and it is also hard to simplify the case.

Greetings
Christian

-- 
Christian Kratzer                   CK Software GmbH
Email:   ck at cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/

More information about the radiator mailing list