Hello, On 6/3/22 10:53, Stefan Winter wrote:
Hello,
I also noticed that while the server logs many properties of the X.509 certificate (both incoming and outgoing), it does not store the fields X509v3 Certificate Policies, i.e.:
X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Key Identifier: 48:5B:A9:3C:94:AF:72:C7:0D:B8:9A:8B:4E:0D:25:0A:13:7B:DE:36
X509v3 Authority Key Identifier: keyid:D2:F2:23:BD:4A:A1:7F:CF:A0:58:84:EB:FC:E6:5B:08:B3:CD:B4:E4
X509v3 Subject Alternative Name: DNS:tld1.eduroam.lu, DNS:tld2.eduroam.lu X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.27262.1.13.1.1 Policy: 1.3.6.1.4.1.27262.1.13.1.1.1.4 Policy: 1.3.6.1.4.1.25178.3.1.1 Policy: 1.3.6.1.4.1.25178.3.1.2 Policy: 1.3.6.1.4.1.27262.1.13.2.1.1.8
But:
(0) (TLS) Creating attributes from client certificate (0) TLS-Client-Cert-Serial := "244f65593e791e5064b98342" (0) TLS-Client-Cert-Expiration := "260218163105Z" (0) TLS-Client-Cert-Valid-Since := "210219163105Z" (0) TLS-Client-Cert-Subject := "/DC=net/DC=geant/DC=edsuroam/C=LU/O=Fondation Restena/CN=tld1.eduroam.lu" (0) TLS-Client-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01" (0) TLS-Client-Cert-Common-Name := "tld1.eduroam.lu" (0) TLS-Client-Cert-Subject-Alt-Name-Dns := "tld1.eduroam.lu" (0) TLS-Client-Cert-Subject-Alt-Name-Dns := "tld2.eduroam.lu" (0) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, TLS Web Server Authentication" (0) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "48:5B:A9:3C:94:AF:72:C7:0D:B8:9A:8B:4E:0D:25:0A:13:7B:DE:36" (0) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:D2:F2:23:BD:4A:A1:7F:CF:A0:58:84:EB:FC:E6:5B:08:B3:CD:B4:E4\n" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.1"
... but no "TLS-Client-Cert-X509v3-Certificate-Policy" Not all TLS attributes are directly available, you must add this attribute in the dictionary to see it in debug mode and use it with unlang : ATTRIBUTE TLS-Client-Cert-X509v3-Certificate-Policies 3000 string
But yes, it's probably a good idea to have it by default. Regards, Arnaud