Naming collision on CN in CA certificates (EAP-TLS)
Hi there, Before I open a bug report in Github, I'm hoping that someone else has seen this issue and can advise on a work-around. What I'm trying to do: Use multiple CA certificates for authentication of EAP-TLS supplicants. The CNs in these CA certificates may be identical. What I'm expecting: FreeRADIUS (via SSL library) should use the authorityKeyID in the supplicant's certificate to locate the CA certificate (matching against the subjectKeyID) to validate the supplicant's presented certificate. What I'm observing: FreeRADIUS fails to authenticate client certificates if multiple CA certificates exist with the same CN. The CN appears to be the key which FreeRADIUS uses to locate the CA certificate. More about the test scenario: Attempted with two CA certificates as separate certs in cert_dir. Also tried with both CA certificates in the same file. As long as the CNs are different, authentication happens as desired, with no issues. If the CNs collide, auth fails. When I use OpenSSL to verify the client certs against the CA certs, OpenSSL authenticates the certs correctly even if the names collide. FreeRADIUS appears to be sharing the responsibility of validating the supplicant's certificate with the SSL library, and treating it differently than openSSL does when used independently. -- *Ash Wilson* | Technical Director *e:* ash.wilson@valimail.com This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
On Jun 5, 2021, at 1:26 PM, Ash Wilson via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
What I'm trying to do: Use multiple CA certificates for authentication of EAP-TLS supplicants. The CNs in these CA certificates may be identical.
I'm not sure that it's permitted in TLS to have multiple CAs with the same CN.
What I'm expecting: FreeRADIUS (via SSL library) should use the authorityKeyID in the supplicant's certificate to locate the CA certificate (matching against the subjectKeyID) to validate the supplicant's presented certificate.
What I'm observing: FreeRADIUS fails to authenticate client certificates if multiple CA certificates exist with the same CN. The CN appears to be the key which FreeRADIUS uses to locate the CA certificate.
Except that FreeRADIUS doesn't do this. It just hands the TLS data / certs to OpenSSL, and asks "is this OK?"
More about the test scenario: Attempted with two CA certificates as separate certs in cert_dir. Also tried with both CA certificates in the same file. As long as the CNs are different, authentication happens as desired, with no issues. If the CNs collide, auth fails. When I use OpenSSL to verify the client certs against the CA certs, OpenSSL authenticates the certs correctly even if the names collide.
I suspect something else is going on there. i.e. the openssl command-line tool does something different from FreeRADIUS. FreeRADIUS loads all of the CAs into memory, and then asks OpenSSL to verify the client cert. If OpenSSL can't match the client cert to the correct CA, then that's an issue for OpenSSL.
FreeRADIUS appears to be sharing the responsibility of validating the supplicant's certificate with the SSL library, and treating it differently than openSSL does when used independently.
FreeRADIUS doesn't verify the client cert. That's all TLS / cert magic, and we don't implement that. What FreeRADIUS does is to expose the CN / etc. to "unlang", and allows the local admin to write policies based on that. But any matching of client cert to CA is completely outside of the scope of FreeRADIUS. We just call the OpenSSL APIs. If they return "OK", then the cert is valid. If they return "fail", then the cert is rejected. Which version of FreeRADIUS are you using, and which version of OpenSSL? You might also try setting "auto_chain = yes". See mods-available/eap. That toggles an internal OpenSSL flag for some different behavior. That might help. Alan DeKok.
participants (2)
-
Alan DeKok -
Ash Wilson