[RADIATOR] TLS Session Resumption Issue

Heikki Vatiainen hvn at open.com.au
Wed Feb 28 19:56:19 UTC 2018

On 27.02.2018 18:05, Christian Kratzer wrote:

> we need to store something between individual sessions with tls session 
> resumption.

See goodies/eaptls_resume_post_auth_hook.pl for an example of how it 
should be done with current versions. The data to store over resumed 
authentications is now kept separate from the EAPContext that can be 
accessed from $p.

In other words, an EAPContext is only alive during one EAP 
authentication exchange. When a new session is created, a separate store 
is created and associated with an EAP context. When the this 
authentication is finished, EAP context is discarded but the separate 
store remains. When the session is resumed, the separate store is 
retrieved and associated with an EAP context created anew for this 

The hook shows how to use an API to store and retrieve information from 
the session's separate store. You can use it to store values with a key 
and then later retrieve them with the same key.

> But the auth.hook cannot access issuer and policy in the EAPContext and 
> later authorization fails because they are missing.

Correct. This EAP context is not the same than the context in the first 
authentication. The separate store means a bit more work, but a good 
thing is that there's now an API for this.

> The question is how can we store the two strings extracted in 
> EAPTLS_CertificateVerifyHook on first connect so they are available for 
> use on session resumption.

The hook in question should show answer this. Please let us know how it 


Heikki Vatiainen
hvn at open.com.au

More information about the radiator mailing list