I'm new to RADIUS, servers, and the like. There doesn't seem to be that much documentation on FreeRadius, and I need to get FreeRadius server (3.0.8) running RADSEC for test purposes.
I moved etc/raddb/sites-available/tls to etc/raddb/sites-enabled/ in order to enable "RADSEC".
Questions:
I understand that I need to have a server certificate as well as a public key. I am wondering on if I could get a fake certificate/key just for testing.
Also I'm not sure how I can test the actual server, there's the radtest command (I've been trying to run radtest -P tcp -x testing password 127.0.0.1:2083 10 testing123 but it's returns:
... new connection request on TCP socket
Listening on auth+acct from client (127.0.0.1, 40542) -> (*, 2083, virtual-server=default)
Waking up in 0.4 seconds.
(0) Initiating new EAP-TLS session
(0) Setting verify mode to require certificate from client
(0) Non-TLS data sent to TLS socket: closing
Closing TLS socket from client port 40542
Client has closed connection
... shutting down socket auth+acct from client (127.0.0.1, 40542) -> (*, 2083, virtual-server=default)
Waking up in 2.9 seconds.
... cleaning up socket auth+acct from client (127.0.0.1, 40542) -> (*, 2083, virtual-server=default)
Ready to process requests
Do I need to set up another server as a client so that they can perform the TLS negotiation? And once I do that, how do I get that server to communicate with this RADSEC server?
radtest is attempting a non TLS connect to the server. And thats the reason you are seeing that the server disconnects the connection immediately.
You can explore radsecproxy. It supports TLS (RadSec), as well as RADIUS over TCP. So it can happen as intermediary for the non TLS client and TLS server.
Related
I use k3s + containerd to deploy my service. there are multi services running on a fat container which share the same network with host by set hostnetwork=true in the deployment definition. services on this container communicate with each other using HTTP. I found sometimes HTTP communication will be interrupt by strange RST right after connection established.
I want to know in which case will causing the first RST which interrupt the normal TCP connection ?
following are some tcp traffic captured
TCP handshake success, then server received the HTTP request and try to send response to client after process, but a RST right after handshake cause client socket to be closed.
wireshark packet captured
TCP handshake success, and server have not received the HTTP request, there also a RST cause client closed after handshake. after 15mins, server try to close this connection because timeout
wireshark packet captured
TCP handshake success, and server have't received the HTTP request. there also a RST cause client closed after handshake. after about 100s, client with the same port which reset by RST try to connect server, server respond a ACK to previous connection which causing a client RST.
wireshark packet captured
environments:
HOST OS: CENTOS7
CONTAINER OS: CENTOS7
server program: Python 2.7.5, eventlet 0.22.0
HTTP library: Python2.7 pycurl (libcurl 7.29.0) Error: Connection reset by peer
K3S (v1.23.3) + Containerd (1.5.9)
Kernel Version: 4.18.0
I am a newbie to the implementation of TLS over TCP.
I am using winsock to send TCP packets to remote syslog server just like the example given here:
https://learn.microsoft.com/en-us/windows/win32/winsock/complete-client-code
Now I want to use TLS over TCP. I have configured rsyslog on my centOs machine(syslog server) according to these steps: https://www.golinuxcloud.com/secure-remote-logging-rsyslog-tls-certificate/
But above link states info about sending logs from one syslog server to another syslog server. I need to send logs from my application [cpp socket programming] to remote syslog server.
Can someone please help me, how should I achieve this? Do I need to store any certificate where my application is running or how should I make TLS over TCP from my application to remote syslog server.
I am using Stunnel to connect to a server with TLS encryption. I start Stunnel, then I use any client to connect to Stunnel (e.g. telnet) and everything works fine.
If I close the client the connection with the server remains active, the connection with the client goes to state TIME_WAIT.
But here is the problem, if I try to open the client again, the connection to Stunnel is lost instantaneously.
What can be the problem?
It was a problem with the server not accepting TSL handsake renegotiation, a feature that comes by default with Stunnel and cannot be changed via configuration.
So I had to modify the source code of stunnel to force it to make the handshake each time the connection is established.
I'm trying to implement an HTTP proxy for learning and debug purpose.
The support of plain HTTP transactions was pretty straightforward to implement and now I'm looking to implement support for SSL/TLS tunnels.
From RFC 7230:
A "tunnel" acts as a blind relay between two connections without
changing the messages. Once active, a tunnel is not considered a party
to the HTTP communication, though the tunnel might have been initiated
by an HTTP request.
It's not very clear whether I shall build the TLS socket from the socket on which the HTTP CONNECT transaction took place. I assume it is the case, since HTTP is stateless, but I just want to be sure.
When a client connects to an HTTP proxy, CONNECT is used to have the proxy establish a persistent TCP connection with the target TCP server. Then the proxy blindly passes data as-is back and forth between the two TCP connections until either the client or server disconnects, then the proxy disconnects the other party. This allows the client to send data to the server and vice versa, such as TLS packets. This is important so the TLS server can verify the client's identity during the TLS handshake.
So, to answer your question - yes, the client must establish a TLS session with the target server using the same TCP socket that it used to issue the CONNECT request on. Once the CONNECT request has succeeded, the client can treat the existing TCP connection as if it had connected to the server directly. The proxy is transparent at that point, neither party needs to care that it is present.
I have chosen QuteCom SIP client for windows to chat.I have installed and configured the account with my public server. My SIP server is kamailio.The connection to the server is not established. The application is connecting to the server for a long time.
Any help is appreciated.
If looks like keep connecting, then I guess the SIP messages don't get to the server.
You can install Wireshark to monitor traffic on windows host on port 5060 (the SIP port) in order to see if SIP messages are sent to the server.
On server, you can install ngrep for the purpose of seeing if traffic from the phone comes there. The command would be like:
ngrep -d any -qt -W byline port 5060
If you don't see traffic coming to the SIP server, then might be a firewall or an ALG between the client and the server, or, a firewall even on client host or server itself.
If it is something in between (not on client host or server), then you should try to use TCP or better TLS.
Note that if you have the firewall on the server, you will see the SIP packets coming on the network, but they will be dropped by the kernel before getting to application layer. Typically on Linux you can see the firewall rules with:
iptables -L
If the SIP packets come to the server, then set debug=3 in kamailio.cfg, restart kamailio and watch the syslog file (e.g., /var/log/syslog or /var/log/messgaes) for kamailio-specific debug messages -- you should get hints of what happens during processing.