Hello,
ahem:
software.uninett.no uses an invalid security certificate. The
certificate expired on 25.09.2016 01:59. The current time is 19.10.2016
15:35. Error code: SEC_ERROR_EXPIRED_CERTIFICATE
Stefan
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Hello,
ahem:
software.uninett.no uses an invalid security certificate. The
certificate expired on 25.09.2016 01:59. The current time is 19.10.2016
15:35. Error code: SEC_ERROR_EXPIRED_CERTIFICATE
Stefan
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Symptom: radsecproxy is sometimes doing a dynamic discovery (and opens a new tls connection) even if there already is a working (dynamically discovered) connection for the given realm.
Cause: Due to a bug in 'hasdynamicserver()' all information about dynamically discovered realms is removed when any dynamic connection gets closed.
Please review the patch:
https://code.nordu.net/?p=user/mauchle/radsecproxy.git;a=commitdiff;h=d768c…
or pull here:
https://git.nordu.net/user/mauchle/radsecproxy.git dup-dyndisc
Best regards,
Fabian
--
SWITCH
Fabian Mauchle, Network Engineer
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 30, direct +41 44 268 15 39
fabian.mauchle(a)switch.ch, www.switch.ch
I was updating my set of Gentoo ebuilds for radsecproxy to 1.6.8, and
wanted to use one of my PowerPC G4 Mini Mac systems with radsecproxy,
but...
minismurf # /usr/sbin/radsecproxy -v
pthread_attr_setstacksize failed
This led me to radsecproxy.c:
3406 if (pthread_attr_setstacksize(&pthread_attr, PTHREAD_STACK_SIZE))
3407 debugx(1, DBG_ERR, "pthread_attr_setstacksize failed");
and found PTHREAD_STACK_SIZE defines in radsecproxy.h:
31 #define PTHREAD_STACK_SIZE 32768
With a bit of help, I found that my platform has
minismurf # find /usr/include -type f | xargs egrep PTHREAD_STACK_MIN
/usr/include/bits/local_lim.h:#define PTHREAD_STACK_MIN 131072
/usr/include/pthread.h: minimal size of the block must be PTHREAD_STACK_MIN. */
/usr/include/pthread.h: to be started. This size must never be less than PTHREAD_STACK_MIN
minismurf #
So, instead of simply defining PTHREAD_STACK_SIZE to a given size, the wanted
value should probably be compared to PTHREAD_STACK_MIN first, and whichever
value is largest is what PTHREAD_STACK_SIZE should be defined as.
I attached a patch to radsecproxy.h that does this, "works for me [tm]" :)
minismurf # /usr/sbin/radsecproxy -v
radsecproxy revision 1.6.8
This binary was built with support for the following transports:
UDP
TCP
TLS
DTLS
The patch seems to work fine from 1.6.3 (where this issue was introduced) up to 1.6.8,
it also applies to 1.7-dev in git repo, but I stumbled on other issues there, so I have
not tried building from git yet.
--
Kolbjørn Barmen
UNINETT, System og mellomvare
Hi,
Currently, radsecproxy supports mutual authentication by default i.e. both the Client and the Server certificate are validated at the time of TLS connection establishment. However, I want to only validate Server’s certificate. Is it possible to make changes to TLS Block (radsecproxy.conf) or to code to only do the validation of Server certificate's ? Any help will be greatly appreciated ! Thanks,
Regards,
