From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 11 Apr 2023 16:53:35 +0000 (-0400)
Subject: Error out on ALPN negotiation failures with home server.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a84cea5d79b9d92779861b40e012729fc67016ce;p=thirdparty%2Ffreeradius-server.git

Error out on ALPN negotiation failures with home server.

We have 'radiusv11 = require', but the home server did not send
ALPN, so we close the connection.
---

diff --git a/src/main/tls_listen.c b/src/main/tls_listen.c
index e2f3b79d7d..255b807354 100644
--- a/src/main/tls_listen.c
+++ b/src/main/tls_listen.c
@@ -1362,6 +1362,17 @@ int proxy_tls_send(rad_listen_t *listener, REQUEST *request)
 			radius_update_listener(listener);
 			return rcode;
 		}
+#ifdef WITH_RADIUSV11
+	} else if ((listener->radiusv11 == FR_RADIUSV11_REQUIRE) &&
+		   !sock->radiusv11) {
+
+			DEBUG("(TLS) We have 'radiusv11 = require', but the home server has not negotiated it - closing socket");
+
+			PTHREAD_MUTEX_LOCK(&TLS_MUTEX);
+			tls_socket_close(listener);
+			PTHREAD_MUTEX_UNLOCK(&TLS_MUTEX);
+			return 0;
+#endif
 	}
 
 	DEBUG3("Proxy is writing %u bytes to SSL",
@@ -1382,7 +1393,7 @@ int proxy_tls_send(rad_listen_t *listener, REQUEST *request)
 
 		default:
 			tls_error_log(NULL, "Failed in proxy send with OpenSSL error %d", err);
-			DEBUG("Closing TLS socket to home server");
+			DEBUG("(TLS) Closing socket to home server");
 			tls_socket_close(listener);
 			PTHREAD_MUTEX_UNLOCK(&TLS_MUTEX);
 			return 0;