radsecproxy

radsecproxy@lists.nordu.net

72 discussions

web server cert
by Stefan Winter 19 Oct '16

19 Oct '16

Hello, ahem: software.uninett.no uses an invalid security certificate. The certificate expired on 25.09.2016 01:59. The current time is 19.10.2016 15:35. Error code: SEC_ERROR_EXPIRED_CERTIFICATE Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

3 2

web server cert
by Stefan Winter 19 Oct '16

19 Oct '16

1 0

duplicate dynamic discovery
by Fabian Mauchle 19 Oct '16

19 Oct '16

Symptom: radsecproxy is sometimes doing a dynamic discovery (and opens a new tls connection) even if there already is a working (dynamically discovered) connection for the given realm. Cause: Due to a bug in 'hasdynamicserver()' all information about dynamically discovered realms is removed when any dynamic connection gets closed. Please review the patch: https://code.nordu.net/?p=user/mauchle/radsecproxy.git;a=commitdiff;h=d768c… or pull here: https://git.nordu.net/user/mauchle/radsecproxy.git dup-dyndisc Best regards, Fabian -- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 30, direct +41 44 268 15 39 fabian.mauchle(a)switch.ch, www.switch.ch

1 0

Error building radsecproxy with clang
by Luke Benes 17 Oct '16

17 Oct '16

Building radsecproxy with clang results in: radsecproxy-hash.c:22:2: error: embedding a directive within macro arguments has undefined behavior Full log: http://clang.debian.net/logs/2016-08-30/radsecproxy_1.6.7-1_unstable_clang.…

2 1

PTHREAD_STACK_SIZE vs PTHREAD_STACK_MIN
by Kolbjørn Barmen 17 Oct '16

17 Oct '16

I was updating my set of Gentoo ebuilds for radsecproxy to 1.6.8, and wanted to use one of my PowerPC G4 Mini Mac systems with radsecproxy, but... minismurf # /usr/sbin/radsecproxy -v pthread_attr_setstacksize failed This led me to radsecproxy.c: 3406 if (pthread_attr_setstacksize(&pthread_attr, PTHREAD_STACK_SIZE)) 3407 debugx(1, DBG_ERR, "pthread_attr_setstacksize failed"); and found PTHREAD_STACK_SIZE defines in radsecproxy.h: 31 #define PTHREAD_STACK_SIZE 32768 With a bit of help, I found that my platform has minismurf # find /usr/include -type f | xargs egrep PTHREAD_STACK_MIN /usr/include/bits/local_lim.h:#define PTHREAD_STACK_MIN 131072 /usr/include/pthread.h: minimal size of the block must be PTHREAD_STACK_MIN. */ /usr/include/pthread.h: to be started. This size must never be less than PTHREAD_STACK_MIN minismurf # So, instead of simply defining PTHREAD_STACK_SIZE to a given size, the wanted value should probably be compared to PTHREAD_STACK_MIN first, and whichever value is largest is what PTHREAD_STACK_SIZE should be defined as. I attached a patch to radsecproxy.h that does this, "works for me [tm]" :) minismurf # /usr/sbin/radsecproxy -v radsecproxy revision 1.6.8 This binary was built with support for the following transports: UDP TCP TLS DTLS The patch seems to work fine from 1.6.3 (where this issue was introduced) up to 1.6.8, it also applies to 1.7-dev in git repo, but I stumbled on other issues there, so I have not tried building from git yet. -- Kolbjørn Barmen UNINETT, System og mellomvare

2 1

Mutual Authentication (TLS)
by Mofassir Ul Haque 07 Oct '16

07 Oct '16

Hi, Currently, radsecproxy supports mutual authentication by default i.e. both the Client and the Server certificate are validated at the time of TLS connection establishment. However, I want to only validate Server’s certificate. Is it possible to make changes to TLS Block (radsecproxy.conf) or to code to only do the validation of Server certificate's ? Any help will be greatly appreciated ! Thanks, Regards,

2 4

OpenSSL 1.1
by Linus Nordberg 23 Sep '16

23 Sep '16

Hi, Thanks to Faidon, we've got an issue [1] tracking the work of getting radsecproxy to work with OpenSSL 1.1. [1] https://project.nordu.net/browse/RADSECPROXY-66 The questions now are 1) does the proposed patch work for you and 2) how little backwards compatibility can we get away with? If you're a radsecproxy user, what version(s) of OpenSSL do you really need support for? If you know how to build radsecproxy from source, please test the 'openssl11' branch [2] with OpenSSL 1.1.0 and let us know if it works for you. [2] git clone -b openssl11 https://git.nordu.net/radsecproxy.git Thanks, Linus

4 12

radsecproxy-1.6.8 released
by Linus Nordberg 21 Sep '16

21 Sep '16

Hi, radsecproxy-1.6.8 is now a thing. From the ChangeLog file: --8<---------------cut here---------------start------------->8--- 2016-09-21 1.6.8 Bug fixes: - Stop waiting on writable when reading a TCP socket. - Stomp less on the memory of other threads (RADSECPROXY-64). --8<---------------cut here---------------end--------------->8--- You can pick it up at https://software.nordu.net/radsecproxy/download/ as usual.

1 0

Race condition in TCP/TLS accept
by Fabian Mauchle 19 Sep '16

19 Sep '16

Hi All, There is a race condition in both the tcp and tls code (in functions tcplistener and tlslistener) when accepting new connections. If new connections arrive in very short succession, and the second (or any further) accept() call returns before the previously created thread has actually started off, these threads operate on the wrong socket. (the pointer handed to the thread points to the local variable s in [tcp|tls]listener() which gets its new value before the thread could copy its value) Proposed change: copy the variable to the heap and use this as argument to the new thread; also new thread is responsible for the memory if spawn is successful. Additional side-fix: tcpreadtimeout() does a select() on a write-fd with the intention to wait for readable bytes. This was fixed in 1.6.3 for tls code, but not tcp. Patch is attached. Best regards, Fabian -- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 30, direct +41 44 268 15 39 fabian.mauchle(a)switch.ch, www.switch.ch

2 3

Unable to compile on RedHat from git
by Fabian Mauchle 19 Sep '16

19 Sep '16

Hi All, The git repository (tag radsecproxy-1.6.7) does not compile on RedHat, due to docbook2x_man tool detection fails. The tool is called during compile, regardless of whether it was not found or provided manually to configure. Also, docbook2man on RedHat is not happy with the radsecproxy.conf.5.xml (see patch). docbook2man version info: usr/bin/db2x_docbook2man (part of docbook2X 0.8.8) $Revision: 1.12 $ $Date: 2006/04/14 17:29:04 $ Patch is attached. Please verify if this works on other platforms. Best regards, Fabian -- SWITCH Fabian Mauchle, Network Engineer Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 30, direct +41 44 268 15 39 fabian.mauchle(a)switch.ch, www.switch.ch

2 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

radsecproxy