Matthew Newton wrote:
However, I looked at and implemented a different solution, which seems to work really well. Taking ideas from inner-tunnels and the SoH check method, I added a virtual_server option to the tls configuration. The rlm_eap_tls code then, just before returning success, runs through this virtual server (if given) allowing it to check the TLS-Cert* vps, and reject if it wants to based on them.
That's very nice.
It turns out to be a pretty small patch, and the code path isn't touched at all if the virtual_server option is not set. I've tested with EAP-TLS and PEAP/EAP-TLS, and both work well.
I've posted some comments on github.
I think the next step would be to move the client certificate validation, ocsp and other checks as 'modules' in this virtual server, but that looks a bit harder as they are done in a openssl callback function (cbtls_verify IIRC) - but may not be past the realms of possibility.
I think that's a good idea. Especially the OCSP code. It should really be a pluggable module. Alan DeKok.