On Nov 20, 2017, at 3:58 PM, Brian Julin <BJulin@clarku.edu> wrote:
I can see that the flags only get set in tls_new_session if the client_cert boolean is asserted. But in that case it also unconditionally sets SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
Yes. But again... that's only for the case when a client cert is required.
What I'm talking about here is the same server serving both PEAP clients with certificates and PEAP clients without certificates, and still being able to access the TLS-Client-* variables in post-auth if/when the client did provide a cert.
Yes, that works. I've tested it. If you require a client cert for user A, you *don't* need to require a client cert for user B.
My understanding is that SSL_VERIFY_PEER controls whether the server requests a certificate, and that FreeRADIUS only sets that when it is requiring certificates, so there's no avenue for "request a certificate, validate it if the client responds with one, but if no certificate was offered proceed anyway and decide what to do about that later on in unlang."
Pretty much.
...pretty much the same thing as in both other places where those flags are referenced. Nothing sets SSL_VERIFY_PEER without also setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Is it something internal to OpenSSL? I admit I don't know that API much at all.
It's in our code, it's not in OpenSSL. I suppose with a bit of poking, you could add a FreeRADIUS flag saying "request client cert, but don't require it" I'm not sure why that would be useful, tho. Alan DeKok.