EAP-TLS authentication allows me to authenticate with invalid certificate.
Alan DeKok
aland at deployingradius.com
Wed Oct 13 08:50:38 CEST 2010
Terry Simons wrote:
> I'm running into an issue where FreeRADIUS allows an invalid certificate (one not signed by my configured CA) to successfully authenticate to EAP-TLS.
Well... the code which prints the error "verify error:num=20:" is in
the "verify certificate callback" function. It's returning FALSE to
OpenSSL.
OpenSSL *should* return that error back up the call chain to the
functions in src/modules/libeap/. They look for error returns from
OpenSSL, and stop the conversation if so.
> There's a message in the log that clearly indicates that the CA wasn't found (--> verify error:num=20:unable to get local issuer certificate) , yet my authentication succeeds.
>
> I'm using FreeRADIUS version 2.1.10 with a largely default configuration (home-grown certificates).
Does it fail authentication with another version of FreeRADIUS? If
not, it's an OpenSSL problem.
> I want this authentication to fail because the certificate that the client is using was not signed by the CA that I have configured with the CA_file directive, therefore it should be considered an invalid EAP-TLS attempt.
>
> Has anyone seen this before?
Nope. I'm not a crypto person. FreeRADIUS hands the SSL stuff to
OpenSSL, which does it's magic to verify the certs.
Alan DeKok.
More information about the Freeradius-Users
mailing list