How to check values of TLS-Client-Cert-X509v3-Extended-Key-Usage-OID attribute ?
Hi, I would like to check the values of the TLS-Client-Cert-X509v3-Extended-Key-Usage-OID attribute contained in a client's certificate when establishing an incoming RadSec connection on a proxy server. If those values match known strings then process the request else close the RadSec connection. How can I do that with FR 3.0.21 ? Regards, Arnaud Lauriou
On Mar 24, 2021, at 5:36 AM, Arnaud LAURIOU <arnaud.lauriou@renater.fr> wrote:
I would like to check the values of the TLS-Client-Cert-X509v3-Extended-Key-Usage-OID attribute contained in a client's certificate when establishing an incoming RadSec connection on a proxy server.
If those values match known strings then process the request else close the RadSec connection.
How can I do that with FR 3.0.21 ?
Read the debug output. It prints out which TLS-Clinet-Cert attributes are available, where they go, and what their values are. But... the main issue is that the server doesn't support applying policies to the incoming socket. See src/main/tls_listen.c: /* * FIXME: Run the request through a virtual * server in order to see if we like the * certificate presented by the client. */ :( The real solution is to rely on the TLS framework. If you don't like a certificate, then revoke it. What are the circumstances where you don't control the cert issue, but do want to check the various cert fields? Alan DeKok.
On 3/24/21 12:32 PM, Alan DeKok wrote:
Read the debug output. It prints out which TLS-Clinet-Cert attributes are available, where they go, and what their values are. Yes, and in fact there is a misunderstanding on my side : I am looking for X509v3 Certificate Policies, which are not in the debug output and therefore not in the TLS-Client-Cert-X509v3-Extended-Key-Usage-OID attribute.
I understand that I can check them with the external 'openssl verify' command, I will try that. Regards, Arnaud Lauriou
participants (2)
-
Alan DeKok -
Arnaud LAURIOU