IMHO, it is very breakable script: it compare only strings (issuer name, subject, etc), which can be forged easily. IMHO, we need to check sha1/md5 signatures of CA certificates, not strings.
I don't agree with you. Freeradius checks that the certificate is issued by one of the CA defined in config of EAP-TLS. And then this script compare the subject, you cannot forged it. And of course this patch can be easily enhanced to export sha1/md5 signatures. This patch is made directly for our needs. We have autogenerated file which contains the subject names of allowed certificates. Our CA is part of EUGridPMA and their policy is that there cannot be two certificates with the same subject. -- Michal Prochazka // michalp@ics.muni.cz Supercomputing Center Brno Institute of Computer Science Masaryk University Botanicka 68a, 60200 Brno, CZ CESNET z.s.p.o. Zikova 4, 16200 Praha 6, CZ