[RADIATOR] Logging verify error from EAPTLS_CertificateVerifyFailedHook in AuthLog

Christian Kratzer ck at cksoft.de
Thu Mar 8 15:18:20 UTC 2018 

Hi Tuure,

<snipp/>
> my bad, my_tls_verify_error variable is available during the round when EAPTLS_CertificateVerifyFailedHook is run, but
> as EAP-TLS continues with Radiator sending back TLS alert to the client which will acknowledge it on a next round before
> Radiator will call AuthLog and return Access-Reject, the variable won?t be available anymore to be used by AuthLog.
>
> A correct way would be to use EAPContext which is available during EAP authentication,
> but currently there?s no special variable for accessing it in e.g. AuthLog?s SuccessFormat or FailureFormat.
> However, LogFormatHook can access it through $p so using the hook for forming a log entry can be used as a workaround.
>
> I?ll create a feature request for special variables for accessing EAP context and resume context.

thanks.

That works perfectly.

we use following EAPTLS_CertificateVerifyFailedHook to guard against any failure in crl generation, expiry causing authentication to fail:

 	sub {
 	    my $verify_error = $_[0];
 	    my $p = $_[5];

 	    # log
 	    my $verify_error_text = Radius::TLS::verify_error_string($verify_error);
 	    &main::log($main::LOG_DEBUG, "EAPTLS_CertificateVerifyFailedHook: verify_error: $verify_error_text");

 	    # return success on specific verification error
 	    #  3   => 'unable to get certificate CRL',
 	    #  5   => 'unable to decrypt CRL\'s signature',
 	    #  8   => 'CRL signature failure',
 	    #  11   => 'CRL is not yet valid',
 	    #  12   => 'CRL has expired',
 	    #  15   => 'format error in CRL\'s lastUpdate field',
 	    #  16   => 'format error in CRL\'s nextUpdate field',
 	    #  36   => 'unhandled critical CRL extension',
 	    #  44   => 'different CRL scope',
 	    #  54   => 'CRL path validation error',

 	    # check if element in list using perl ~~ smart match operator
 	    my @crl_check_ignore = ( 3, 5, 8, 11, 12, 15, 16, 36, 44, 54 );
 	    if( $verify_error ~~ @crl_check_ignore ) {
 		$verify_error_text .= ". Continuing without CRL check.";
 		# save verify error to reply for auth logging
 		$p->{EAPContext}->{my_tls_verify_error} = $verify_error_text;
 		return 0;
 	    }

 	    # save verify error to reply for auth logging
 	    $p->{EAPContext}->{my_tls_verify_error} = $verify_error_text;

 	    # otherwise pass through original error
 	    return $verify_error;
 	}

We then use following the AuthLog LogFormatHook to log the reason:

 	$p->{EAPContext}->{my_tls_verify_error}

Above also allows us to have crl for some CA and no crl for others.

Very nice ja kiitos paljon

Greetings
Christian

-- 
Christian Kratzer                   CK Software GmbH
Email:   ck at cksoft.de               Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0       D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9       HRB 245288, Amtsgericht Stuttgart
Mobile:  +49 171 1947 843           Geschaeftsfuehrer: Christian Kratzer
Web:     http://www.cksoft.de/

More information about the radiator mailing list