Hi list, I updated freeradius on an Devuan machine from 3.0.17 to 3.2.1. Formerly I checked the client certificate in the virtual server check-eap-tls with the following unlang construct to extract the real User-Name from the certificate: ... if ((&TLS-Client-Cert-Subject-Alt-Name-Email) && (&TLS-Client-Cert-Subject-Alt-Name-Email =~ /@/)) { update request { &User-Name := &TLS-Client-Cert-Subject-Alt-Name-Email } } elsif (&TLS-Client-Cert-Common-Name) { update request { &User-Name := &TLS-Client-Cert-Common-Name } } else { reject } ... In the client certificate file there is also the root ca certificate, and in the former version the second certificate was the client certificate and the code evaluates correct without thoroughly thinking about. Now, the attributes like TLS-Client-Cert-Serial evaluate to the first certificate ie the root ca certificate and the above unlang code return the false User-Name. I want to improve the code and need some hints. I want to iterate over eg &TLS-Client-Cert-Serial[*], search the cert with &TLS-Client-Cert-X509v3-Basic-Constraints[i] =~ /CA:FALSE/, and then extract the User-Name from &TLS-Client-Cert-Subject-Alt-Name-Email[i] or &TLS-Client-Cert-Common-Name[i] How can I get the correct index i from eg foreach &TLS-Client-Cert-Serial to reference to the &TLS-Client-Cert-Subject-Alt-Name-Email[i], for example. A quick fix was to use [n] and choose the last certificate in the file, but this is not clean. -- stefan hartmann