We recently ran into a minor annoyance with the checking of certificate CNs using the eap-tls module. Occasionally we issue certificates with a CN that has a different case to that on the host. eg. Our certificate might be something like cn=ALPHA,o=SOMEORG, but the hostname of the machine is "alpha". My reading of /src/modules/rlm_eap/types/rlm_eap_tls/cb.c (around line 162) if (strncmp(cn_str, buf, sizeof(buf)) != 0) { indicates that the comparison is case-sensitive. However my brief browsing of the appropriate RFCs indicate that those particular components of the DN are typically defined to be case insensitive. As an english speaker, I'm blissfully unaware of internationalisation issues that might be caused by #1 below. So I can see 3 ways forward from here (for us / possibly freeradius at large for #1,#3) 1. Change the match to strncasecmp 2. Disable check_cert_cn (it doesn't add an awful lot of value for us due to how we issue certs directly into the stores) 3. Find out if there is some way to use the hints file to upper/lower case the name, and then only issue certs with upper case CN values. This is only an edge case for us; it happens very infrequently. However we are a limited life project and I want to put in place a solution with the least amount of manual tinkering required as possible. Thanks, Ben