freeradius-server
freeradius-server copied to clipboard
FreeRADIUS
[defect]: Certificate order in 3.2 for outbound radsec
What type of defect/bug is this?
Unexpected behaviour (obvious or verified by project member)
How can the issue be reproduced?
https://lists.freeradius.org/pipermail/freeradius-users/2022-June/101972.html
the "server" certificate attributes get populated with the issuer certificate details; and then the "client" certificate ones get the server cert.
The root cause is that the code in cbtls_verify() gets different things from OpenSSL for inbound and outbound connections:
[0] = client cert
[1] = server
[2] = issuer...
outgoing
no client cert, you already have that!
[0] = server
[1] = issuer
We need to have a configuration option for 3.2 which says "use the correct offset for outbound connections", and then when that's set, don't create the client cert attributes for outbound connections, and only create the server cert attributes.
We might just use something like SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_OUTBOUND); which would be set in proxy_new_listener() or tls_new_client_session(), based on a configuration option.
And then checked in cbtls_verify() If the flag exists, then (a) ignore client certs, and (b) server cert is at offset 0, not 1. i.e. if index outbound, then lookup=1
Log output from the FreeRADIUS daemon
See the link to the mailint list.
Relevant log output from client utilities
No response
Backtrace from LLDB or GDB
No response
