Hi, On Fri, Feb 03, 2012 at 11:25:30AM +0100, Alan DeKok wrote:
Matthew Newton wrote:
However, I looked at and implemented a different solution, which seems to work really well. Taking ideas from inner-tunnels and the SoH check method, I added a virtual_server option to the tls
That's very nice.
Thanks :)
It turns out to be a pretty small patch, and the code path isn't touched at all if the virtual_server option is not set. I've tested with EAP-TLS and PEAP/EAP-TLS, and both work well.
I've posted some comments on github.
I've improved it a lot based on that - it's much neater and simpler now. I realised that I was needlessly copying in the certificate VPs that had already been copied, so that's gone.
I think the next step would be to move the client certificate validation, ocsp and other checks as 'modules' in this virtual server, but that looks a bit harder as they are done in a openssl callback function (cbtls_verify IIRC) - but may not be past the realms of possibility.
I think that's a good idea. Especially the OCSP code. It should really be a pluggable module.
Will have to stare at the code on this. I struggle to understand the SSL stuff well, and this looks slightly more complicated due to the callback function, so I'm not sure where OpenSSL calls it, or if it could easily be separated out. Will try and have a look. Couple of updates pushed to https://github.com/mcnewton/freeradius-server/commits/patch-eaptls-vs Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>