PEAP correct client certificate

Alan DeKok aland at deployingradius.com
Mon Nov 20 22:19:19 CET 2017


On Nov 20, 2017, at 3:58 PM, Brian Julin <BJulin at clarku.edu> wrote:
> I can see that the flags only get set in tls_new_session if the client_cert boolean
> is asserted.  But in that case it also unconditionally sets SSL_VERIFY_FAIL_IF_NO_PEER_CERT.

  Yes.  But again... that's only for the case when a client cert is required.

> What I'm talking about here is the same server serving both PEAP clients with certificates
> and PEAP clients without certificates, and still being able to access the TLS-Client-* variables
> in post-auth if/when the client did provide a cert.

  Yes, that works.  I've tested it.

   If you require a client cert for user A, you *don't* need to require a client cert for user B.

> My understanding is that SSL_VERIFY_PEER controls whether the server
> requests a certificate, and that FreeRADIUS only sets that when it is requiring
> certificates, so there's no avenue for "request a certificate, validate it if the client
> responds with one, but if no certificate was offered proceed anyway and decide what to
> do about that later on in unlang."

  Pretty much.

> ...pretty much the same thing as in both other places where those flags are referenced.  Nothing
> sets SSL_VERIFY_PEER without also setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
> Is it something internal to OpenSSL?  I admit I don't know that API much at all.

  It's in our code, it's not in OpenSSL.

  I suppose with a bit of poking, you could add a FreeRADIUS flag saying "request client cert, but don't require it"

  I'm not sure why that would be useful, tho.

  Alan DeKok.




More information about the Freeradius-Users mailing list