Case sensitivity of cert cn checking in rlm_eap_tls
Ben Walding
ben.walding at gmail.com
Mon Aug 8 02:27:21 CEST 2005
We recently ran into a minor annoyance with the checking of
certificate CNs using the eap-tls module.
Occasionally we issue certificates with a CN that has a different case
to that on the host. eg.
Our certificate might be something like cn=ALPHA,o=SOMEORG, but the
hostname of the machine is "alpha".
My reading of
/src/modules/rlm_eap/types/rlm_eap_tls/cb.c (around line 162)
if (strncmp(cn_str, buf, sizeof(buf)) != 0) {
indicates that the comparison is case-sensitive. However my brief
browsing of the appropriate RFCs indicate that those particular
components of the DN are typically defined to be case insensitive. As
an english speaker, I'm blissfully unaware of internationalisation
issues that might be caused by #1 below.
So I can see 3 ways forward from here (for us / possibly freeradius at
large for #1,#3)
1. Change the match to strncasecmp
2. Disable check_cert_cn (it doesn't add an awful lot of value for us
due to how we issue certs directly into the stores)
3. Find out if there is some way to use the hints file to upper/lower
case the name, and then only issue certs with upper case CN values.
This is only an edge case for us; it happens very infrequently.
However we are a limited life project and I want to put in place a
solution with the least amount of manual tinkering required as
possible.
Thanks,
Ben
More information about the Freeradius-Devel
mailing list