TLS-*-Cert-Common-Name if no certificate subject - patch
The client certificate on the device I'm testing with here has no Subject, and has a subjectAltName instead. This seems allowed (mandated? - the text is unclear to me) by RFC3280 s4.1.2.6. Correctly, the TLS-Client-Cert-Subject vp is _not_ added. Incorrectly, TLS-Client-Cert-Common-Name IS added, with the value of the common name from the issuer certificate. Below mini-patch only tries to add the common-name vp if it previously found a subject. Cheers, Matthew
From 921bd453c11697830b0d4871aa7aac51601a0ee5 Mon Sep 17 00:00:00 2001 From: Matthew Newton <mcn4@leicester.ac.uk> Date: Fri, 3 Feb 2012 13:33:26 +0000 Subject: [PATCH] rlm_eap_tls.c - only add TLS-*-Cert-Common-Name if there was a subject
--- .../rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c index e548961..0132ae0 100644 --- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c +++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c @@ -636,12 +636,12 @@ static int cbtls_verify(int ok, X509_STORE_CTX *ctx) } /* - * Get the Common Name + * Get the Common Name, if there is a subject */ X509_NAME_get_text_by_NID(X509_get_subject_name(client_cert), NID_commonName, common_name, sizeof(common_name)); common_name[sizeof(common_name) - 1] = '\0'; - if ((lookup <= 1) && common_name[0] && (strlen(common_name) < MAX_STRING_LEN)) { + if ((lookup <= 1) && common_name[0] && subject[0] && (strlen(common_name) < MAX_STRING_LEN)) { pairadd(&handler->certs, pairmake(cert_attr_names[EAPTLS_CN][lookup], common_name, T_OP_SET)); } -- 1.7.2.5 -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Matthew Newton wrote:
The client certificate on the device I'm testing with here has no Subject, and has a subjectAltName instead. This seems allowed (mandated? - the text is unclear to me) by RFC3280 s4.1.2.6.
Correctly, the TLS-Client-Cert-Subject vp is _not_ added.
Incorrectly, TLS-Client-Cert-Common-Name IS added, with the value of the common name from the issuer certificate.
Weird.
Below mini-patch only tries to add the common-name vp if it previously found a subject.
Added, thanks. Alan DeKok.
participants (2)
-
Alan DeKok -
Matthew Newton