Alan DeKok wrote:
On Nov 20, 2017, at 3:16 PM, Brian Julin <BJulin@clarku.edu> wrote:
As an aside/tangent to this, I'm wondering if I am reading the code right or missing something... every place that SSL_VERIFY_CLIENT is set, SSL_VERIFY_FAIL_IF_NO_PEER_CERT is also set. So as far as I can see, there is no way to make client certificates optional with PEAP.\
Those flags are set in the SSL* structure. i.e. the one setting up *this* connection.
The function creating the default SSL_CTX *does* set those flags. But the "create this SSL" function clears them, if there's no requirement for client certs.
I've tested PEAP using eapol_text with / without client certs. It works.
I can see that the flags only get set in tls_new_session if the client_cert boolean is asserted. But in that case it also unconditionally sets SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Maybe I'm just missing exactly where that can get cleared. Is the "create this SSL" function something other than that? What I'm talking about here is the same server serving both PEAP clients with certificates and PEAP clients without certificates, and still being able to access the TLS-Client-* variables in post-auth if/when the client did provide a cert.
If the client cert has expired, you don't really get MSCHAP auth. The connection usually just drops in the TLS layer.
I'm assuming one could teach their validator to "ignore" the expiry date so a decision about what to do about that could be deferred until unlang. I have no idea whether the OpenSSL utility makes that easy or not.
No.. the client *doesn't* send a client certificate unless it's (a) been configured on the client, and (b) requested by the server.
My understanding is that SSL_VERIFY_PEER controls whether the server requests a certificate, and that FreeRADIUS only sets that when it is requiring certificates, so there's no avenue for "request a certificate, validate it if the client responds with one, but if no certificate was offered proceed anyway and decide what to do about that later on in unlang." if (client_cert) { RDEBUG2("Requiring client certificate"); verify_mode = SSL_VERIFY_PEER; verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; verify_mode |= SSL_VERIFY_CLIENT_ONCE; } ...pretty much the same thing as in both other places where those flags are referenced. Nothing sets SSL_VERIFY_PEER without also setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Is it something internal to OpenSSL? I admit I don't know that API much at all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html