RADSEC cert validation doesnt seem to work...
hi, # If check_cert_issuer is set, the value will # be checked against the DN of the issuer in # the client certificate. If the values do not # match, the cerficate verification will fail, # rejecting the user. okay.. check_cert_issuer = "/DC=com/DC=edupki/CN=eduPKJ" <snip> (0) <<< TLS 1.0 Handshake [length 08b8], Certificate (0) chain-depth=1, (0) error=0 (0) --> BUF-Name = eduPKI CA G 01 (0) --> subject = /DC=org/DC=edupki/CN=eduPKI CA G 01 (0) --> issuer = /DC=org/DC=edupki/CN=eduPKI CA G 01 (0) --> verify return:1 <snip> (0) (other): SSL negotiation finished successfully SSL Connection Established ooops. something isnt quite right in the validation arena.. alan
Alan Buxey wrote:
# If check_cert_issuer is set, the value will # be checked against the DN of the issuer in # the client certificate. If the values do not # match, the cerficate verification will fail, # rejecting the user.
That's only for the client cert.
(0) <<< TLS 1.0 Handshake [length 08b8], Certificate (0) chain-depth=1,
That's the issue: depth=1. If it was zero, then the check_cert_issuer code would apply. Which certificate is being checked here? Where did it come from? Alan DeKok.
Hi,
# be checked against the DN of the issuer in # the client certificate. If the values do not # match, the cerficate verification will fail, # rejecting the user.
That's only for the client cert.
yes, I'm looking at it , i believe, the right way around - I have a remote RADSEC client talking to this server - so that remote server is a client...
(0) <<< TLS 1.0 Handshake [length 08b8], Certificate (0) chain-depth=1,
That's the issue: depth=1. If it was zero, then the check_cert_issuer code would apply.
Which certificate is being checked here? Where did it come from?
this is a straight forward cert that has been signed by the eduPKI system - no chained certificate IIRC (though a chained CA shouldnt be an issue either as many clients are signed by a CA that is chained to a CA....) <snip> Certificate: Data: Version: 3 (0x2) Serial Number: xxxxxxxxxx (0xxxxxxxxxx) Signature Algorithm: sha1WithRSAEncryption Issuer: DC=org, DC=edupki, CN=eduPKI CA G 01 Validity Not Before: Feb 28 08:29:05 2011 GMT Not After : Feb 27 08:29:05 2016 GMT Subject: DC=net, DC=geant, DC=eduroam, C=GB, O=Loughborough University, CN=server.lboro.ac.uk Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): <snip> Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Key Identifier: <snip> X509v3 Authority Key Identifier: <snip> X509v3 Subject Alternative Name: DNS:server.lboro.ac.uk, email:removed@lboro.ac.uk X509v3 Certificate Policies: <snip> X509v3 CRL Distribution Points: URI:http://cdp.edupki.org/edupki-ca/pub/crl/cacrl.crl Authority Information Access: OCSP - URI:http://ocsp.edupki.org/OCSP-Server/OCSP CA Issuers - URI:http://cdp.edupki.org/edupki-ca/pub/cacert/cacert.crt I've removed some things for privacy/security...and other bits because I'm not too familiar with eduPKI policy on disclosure - eg OID policies... alan
Hi,
this is a straight forward cert that has been signed by the eduPKI system - no chained certificate IIRC (though a chained CA shouldnt be an issue either as many clients are signed by a CA that is chained to a CA....)
I've removed some things for privacy/security...and other bits because I'm not too familiar with eduPKI policy on disclosure - eg OID policies...
We aren't shy: the CA, CP/CPS, Trust Profiles, OIDs are all described here: https://www.edupki.org/edupki-ca/policies-root-certificate-crl/ Greetings, Stefan
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
Hi,
We aren't shy: the CA, CP/CPS, Trust Profiles, OIDs are all described here: https://www.edupki.org/edupki-ca/policies-root-certificate-crl/
fair enough ;-) I think if FreeRADIUS can do OID verification and certificate issuer verification (short term) for RADSEC operations then thats pretty much 'it' at this point in time alan
Hi,
The external shell script certificate validation stuff should work.
should, aye. however, the current openssl 'verify' has the following openssl verify -help usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ... recognized usages: sslclient SSL client sslserver SSL server nssslserver Netscape SSL server smimesign S/MIME signing smimeencrypt S/MIME encryption crlsign CRL signing any Any Purpose ocsphelper OCSP helper - this is on latest RHEL release (and therefore CentOS etc) - theres no 'purpose' flag like the current 'bleeding edge' OpenSSL manual describes :-( (i'm thinking of compiling my own local restrained copy to try out leaving the distro stuff well-alone) alan
Hi, great. I used to think I'm avantgarde with my openssl 1.0.0c on openSUSE 11.4. Still, the command-line gives me the same help as yours. It takes all the fancy arguments from the web documentation though: openssl verify -verbose -explicit_policy -policy 1.3.5.1 -policy_print -policy_check -CAfile ./testcert.pem testcert.pem Require explicit Policy: False Authority Policies: <empty> User Policies: <empty> testcert.pem: OK swinter@aragorn:~> But as you see, it ignores the "explicit policy required" and "policy = 1.3.5.1" parameters deliberately. Grr. Stefan Am 10.06.2011 14:09, schrieb Alan Buxey:
Hi,
The external shell script certificate validation stuff should work. should, aye. however, the current openssl 'verify' has the following
openssl verify -help usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ... recognized usages: sslclient SSL client sslserver SSL server nssslserver Netscape SSL server smimesign S/MIME signing smimeencrypt S/MIME encryption crlsign CRL signing any Any Purpose ocsphelper OCSP helper
- this is on latest RHEL release (and therefore CentOS etc) - theres no 'purpose' flag like the current 'bleeding edge' OpenSSL manual describes :-(
(i'm thinking of compiling my own local restrained copy to try out leaving the distro stuff well-alone)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
participants (3)
-
Alan Buxey -
Alan DeKok -
Stefan Winter