[RADIATOR] TLS Session Resumption Issue

Christian Kratzer ck at cksoft.de
Thu Mar 8 09:43:56 UTC 2018

Hi Heikki,

thanks. the eaptl_resume_post_auth_hook.pl works perfectly in our setup.

We fetch certificate issuer and policy in the EAPTLS_CertificateVerifyHook and use the eaptl_resume_post_auth_hook.pl with very minor adjustments for our use case.


Christian Kratzer                   CK Software GmbH
Email:   ck at cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/

> On 28. Feb 2018, at 20:56, Heikki Vatiainen <hvn at open.com.au> wrote:
> On 27.02.2018 18:05, Christian Kratzer wrote:
>> we need to store something between individual sessions with tls session resumption.
> See goodies/eaptls_resume_post_auth_hook.pl for an example of how it should be done with current versions. The data to store over resumed authentications is now kept separate from the EAPContext that can be accessed from $p.
> In other words, an EAPContext is only alive during one EAP authentication exchange. When a new session is created, a separate store is created and associated with an EAP context. When the this authentication is finished, EAP context is discarded but the separate store remains. When the session is resumed, the separate store is retrieved and associated with an EAP context created anew for this authentication.
> The hook shows how to use an API to store and retrieve information from the session's separate store. You can use it to store values with a key and then later retrieve them with the same key.
>> But the auth.hook cannot access issuer and policy in the EAPContext and later authorization fails because they are missing.
> Correct. This EAP context is not the same than the context in the first authentication. The separate store means a bit more work, but a good thing is that there's now an API for this.
>> The question is how can we store the two strings extracted in EAPTLS_CertificateVerifyHook on first connect so they are available for use on session resumption.
> The hook in question should show answer this. Please let us know how it goes.
> Thanks,
> Heikki
> -- 
> Heikki Vatiainen
> hvn at open.com.au
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.open.com.au/pipermail/radiator/attachments/20180308/21adf4bc/attachment.html>

More information about the radiator mailing list