Document TLS-Session-Cert-File

FreeRADIUS · Mar 26, 2016 · 87c1b38 · 87c1b38
1 parent 4016825
commit 87c1b38
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 19 deletions.
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
@@ -175,6 +175,28 @@ eap {
 		#
 		certificate_file = ${certdir}/server.pem
 
+		#
+		#  Server certificate may also be specified at runtime on a per
+		#  session basis.  Here, the certificate file must consist
+		#  of the certificate and private key, PEM encoded, with no
+		#  password or the password set above.
+		#
+		#  The file should be provided as the attribute:
+		#
+		#      &control:TLS-Session-Cert-File
+		#
+		#  If there are any errors, authentication will not continue.
+		#
+		#  This can be used to periodically verify correct supplicant
+		#  behaviour, by presenting an untrusted or invalid server
+		#  certificate and verifying that the supplicant returns the
+		#  correct TLS alert (available in Module-Failure-Message).
+		#
+		#  Note that after receiving a fatal alert, TLS negotiation
+		#  cannot continue, but as most supplicants retry
+		#  enthusiastically this probably won't be an issue.
+		#
+
 		#
 		#  Trusted Root CA list
 		#

diff --git a/src/main/tls/conf.c b/src/main/tls/conf.c
@@ -314,22 +314,6 @@ fr_tls_conf_t *tls_conf_parse_server(CONF_SECTION *cs)
 	 */
 	if (conf->fragment_size < 100) conf->fragment_size = 100;
 
-	/*
-	 *	Only enforce this if there's no mechanism for
-	 *	certificates to be loaded at runtime.
-	 */
-#ifndef WITH_TLS_SESSION_CERTS
-	if (!conf->private_key_file) {
-		ERROR("TLS Server requires a private key file");
-		goto error;
-	}
-
-	if (!conf->certificate_file) {
-		ERROR("TLS Server requires a certificate file");
-		goto error;
-	}
-#endif
-
 	/*
 	 *	Setup session caching
 	 */

diff --git a/src/main/tls/session.c b/src/main/tls/session.c
@@ -1273,11 +1273,10 @@ tls_session_t *tls_session_init_server(TALLOC_CTX *ctx, fr_tls_conf_t *conf, REQ
 	SSL_set_msg_callback_arg(new_tls, session);
 	SSL_set_info_callback(new_tls, tls_session_info_cb);
 
-#ifdef WITH_TLS_SESSION_CERTS
 	/*
 	 *	Add the session certificate to the session.
 	 */
-	vp = fr_pair_find_by_num(request->state, 0, PW_TLS_SESSION_CERT_FILE, TAG_ANY);
+	vp = fr_pair_find_by_num(request->control, 0, PW_TLS_SESSION_CERT_FILE, TAG_ANY);
 	if (vp) {
 		RDEBUG2("Loading TLS session certificate \"%s\"", vp->vp_strvalue);
 
@@ -1301,8 +1300,23 @@ tls_session_t *tls_session_init_server(TALLOC_CTX *ctx, fr_tls_conf_t *conf, REQ
 			talloc_free(session);
 			return NULL;
 		}
+	/*
+	 *	Better to perform explicit checks, that rely
+	 *	on OpenSSL's opaque error messages.
+	 */
+	} else {
+		if (!conf->private_key_file) {
+			ERROR("TLS Server requires a private key file");
+			talloc_free(session);
+			return NULL;
+		}
+
+		if (!conf->certificate_file) {
+			ERROR("TLS Server requires a certificate file");
+			talloc_free(session);
+			return NULL;
+		}
 	}
-#endif
 
 	/*
 	 *	In Server mode we only accept.