Skip to content

Commit

Permalink
Merge pull request #59 from lferrarotti74/master
Browse files Browse the repository at this point in the history 
SSL check using a CA path parameter
  • Loading branch information
@plettich
plettich authored Oct 25, 2022
2 parents 74ddd8e + a02f46b commit 06e8bc6
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 2 deletions.
26 changes: 24 additions & 2 deletions privacyidea_radius.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,7 @@ use Time::HiRes qw( gettimeofday tv_interval );
use URI::Encode;
use Encode::Guess;


# use ...
# This is very important ! Without this script will not get the filled hashes from main.
use vars qw(%RAD_REQUEST %RAD_REPLY %RAD_CHECK %RAD_CONFIG %RAD_PERLCONF);
Expand Down Expand Up @@ -255,6 +256,7 @@ foreach my $file (@CONFIG_FILES) {
$Config->{SPLIT_NULL_BYTE} = $cfg_file->val("Default", "SPLIT_NULL_BYTE");
$Config->{ADD_EMPTY_PASS} = $cfg_file->val("Default", "ADD_EMPTY_PASS");
$Config->{SSL_CHECK} = $cfg_file->val("Default", "SSL_CHECK");
$Config->{SSL_CA_PATH} = $cfg_file->val("Default", "SSL_CA_PATH");
$Config->{TIMEOUT} = $cfg_file->val("Default", "TIMEOUT", 10);
$Config->{CLIENTATTRIBUTE} = $cfg_file->val("Default", "CLIENTATTRIBUTE");
}
Expand Down Expand Up @@ -362,6 +364,7 @@ sub authenticate {
my $URL = $Config->{URL};
my $REALM = $Config->{REALM};
my $RESCONF = $Config->{RESCONF};
my $SSL_CA_PATH = $Config->{SSL_CA_PATH};

my $debug = false;
if ( $Config->{Debug} =~ /true/i ) {
Expand All @@ -374,6 +377,8 @@ sub authenticate {
$check_ssl = true;
}

&radiusd::radlog( Info, "Verifying SSL certificate: ". $Config->{SSL_CHECK} );

my $timeout = $Config->{TIMEOUT};

&radiusd::radlog( Info, "Default URL $URL " );
Expand Down Expand Up @@ -477,21 +482,38 @@ sub authenticate {
&radiusd::radlog( Info, "urlparam $_ \n" ) for ( keys %params );
}

my $ua = LWP::UserAgent->new();
my $ua = LWP::UserAgent->new();
$ua->env_proxy;
$ua->timeout($timeout);
&radiusd::radlog( Info, "Request timeout: $timeout " );
# Set the user-agent to be fetched in privacyIDEA Client Application Type
$ua->agent("FreeRADIUS");
if ($check_ssl == false) {
try {
# This is only availble with with LWP version 6
# This is only availble with LWP version 6
&radiusd::radlog( Info, "Not verifying SSL certificate!" );
$ua->ssl_opts( verify_hostname => 0, SSL_verify_mode => 0x00 );
} catch {
&radiusd::radlog( Error, "ssl_opts only supported with LWP 6. error: $@" );
}
}
if ($check_ssl == true) {
try {
&radiusd::radlog( Info, "Verifying SSL certificate!" );
if (exists ( $Config->{SSL_CA_PATH} ) ) {
if ( length $SSL_CA_PATH ) {
&radiusd::radlog( Info, "SSL_CA_PATH: $SSL_CA_PATH" );
$ua->ssl_opts( SSL_ca_path => $SSL_CA_PATH, verify_hostname => 1 );
} elsif ( ! length $SSL_CA_PATH ) {
&radiusd::radlog( Info, "Verifying SSL certificate against system wide CAs!" );
$ua->ssl_opts( verify_hostname => 1 );
}
}
} catch {
&radiusd::radlog( Error, "Something went wrong or something is missing!!!" );
}
}

my $starttime = [gettimeofday];
my $response = $ua->post( $URL, \%params );
my $content = $response->decoded_content();
Expand Down
1 change: 1 addition & 0 deletions rlm_perl.ini
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ URL = https://localhost/validate/check
#REALM = someRealm
#RESCONF = someResolver
SSL_CHECK = false
#SSL_CA_PATH =
#DEBUG = true

#[Mapping]
Expand Down

0 comments on commit 06e8bc6

Please sign in to comment.