Hi Mike, I've installed the latest patches, starting with the systems that act as a RADSEC-client. Problem solved.
Thanks a lot for this quick fix! Kind regards, Patrick Renkens Centre for Information Services (UCI) Radboud University Nijmegen, Netherlands Op 24-1-2011 22:36, Mike McCauley schreef: > Hello Patrick, > > thanks for reporting this. > This would occur if the remote host name was specified in the form > ipv6:hostname and the certificate name was for 'hostname'. > > It should now be fixed in the latest patch set. > We apologise for any inconvenience. > > Cheers. > > On Monday 24 January 2011 10:36:52 pm Patrick Renkens wrote: >> Hi all, >> >> Radsec in combination with IPv6 keeps troubling me. >> This weekend I upgraded Radiator from version 4.4 to 4.7 and since then >> the Radsec-connections won't work over IPv6. I had to switch back to >> IPv4 to get it running again. >> Both systems, Radsec server and client and server run Radiator 4.7 on >> RHEL. RHEL 5.4 on clients side and RHEL 5.5 on server side. I only >> upgraded de client side. The server that acts as Radsec-server was >> already running Radiator 4.7. >> >> Personally I think it is not OS related, I experienced the same problems >> on Solaris 5.9 and 5.10 before. >> >> Below you find the error-message and the relevant configuration parts. >> >> Any help is appreciated. >> >> >> >> >> Sat Jan 22 16:35:41 2011: DEBUG: verifyFn start, hostname ipv6:'host' >> Sat Jan 22 16:35:41 2011: DEBUG: verifyFn hostname after canonicalise >> Sat Jan 22 16:35:41 2011: DEBUG: Verifying certificate with Subject >> '/DC=net/DC=geant/O=SURFnet BV/CN=host' presented by peer ipv6:'host' >> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 2, value >> 'host' against >> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value >> https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:idp:E >> urope:SURFnet:'host' against >> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value >> https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Eu >> rope:SURFnet:'host' against >> Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value >> https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Eu >> rope:SURFnet:SURFnet-office against >> Sat Jan 22 16:35:41 2011: ERR: Verification of certificate presented by >> ipv6:'host' failed >> Sat Jan 22 16:35:41 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401 >> Sat Jan 22 16:35:41 2011: ERR: StreamTLS client error: -1, 1, 4401, >> 9303: 1 - error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >> >> Sat Jan 22 16:35:41 2011: DEBUG: Stream disconnected from ipv6:'host':2083 >> >> >> >> #RADSEC client side: >> <Handler Realm=/^'realm'$/i> >> # RewriteUsername s/^([^@]+).*/$1/ >> <AuthBy RADSEC> >> Host ipv6:'hostname' >> Port 2083 >> Secret <cut> >> UseTLS >> TLS_CertificateType PEM >> TLS_CAPath %D/certs/cacert >> TLS_CertificateFile %D/certs/%h.pem >> TLS_PrivateKeyFile %D/certs/%h.pem >> </AuthBy> >> </Handler> >> >> #RADSEC serverside: >> <ServerRADSEC> >> Port 2083 >> UseTLS >> TLS_CAFile %D/cert/edugain/cacert/xxxxxx.pem >> TLS_CertificateFile %D/cert/edugain/yyyyyy.pem >> TLS_CertificateType PEM >> TLS_PrivateKeyFile %D/cert/edugain/yyyyyy.pem >> TLS_RequireClientCert >> TLS_SessionResumption 0 >> Secret <cut> >> Identifier RADSEC >> </ServerRADSEC> >> >> >> >> Kind regards, >> Patrick Renkens >> Centre for Information Services (UCI) >> Radboud University Nijmegen, Netherlands >> >> >> _______________________________________________ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > > > _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
