Checking certificate client policies for RadSec connection
Hi, We are currently checking certificate policy (X509v3 Certificate Policies) of our RadSec clients with an external command : 'openssl verify -policy_check ...' Can we check these policies directly in FR, without an external command ? In debug mode (FR 3.0.23), I can't find these policies in the attributes list created from the client certificate. Regards, Arnaud
On Aug 17, 2021, at 9:01 AM, Arnaud LAURIOU <arnaud.lauriou@renater.fr> wrote:
We are currently checking certificate policy (X509v3 Certificate Policies) of our RadSec clients with an external command : 'openssl verify -policy_check ...'
Can we check these policies directly in FR, without an external command ?
Yes.
In debug mode (FR 3.0.23), I can't find these policies in the attributes list created from the client certificate.
You will need to add a dictionary item for them. Only a few X509 attributes are currently defined: $ git grep -i x509 share/ share/dictionary.freeradius.internal:ATTRIBUTE TLS-Client-Cert-X509v3-Extended-Key-Usage 1927 string share/dictionary.freeradius.internal:ATTRIBUTE TLS-Client-Cert-X509v3-Subject-Key-Identifier 1928 string share/dictionary.freeradius.internal:ATTRIBUTE TLS-Client-Cert-X509v3-Authority-Key-Identifier 1929 string share/dictionary.freeradius.internal:ATTRIBUTE TLS-Client-Cert-X509v3-Basic-Constraints 1930 string share/dictionary.freeradius.internal:ATTRIBUTE TLS-Client-Cert-X509v3-Extended-Key-Usage-OID 1936 string Run the server in debug mode (-Xx) to see messages like: Skipping TLS-Client-Cert-X509-Bar += 'foo'. Please check that both the attribute and value are defined in the dictionaries That gives you the name to use. Then, just add the new attribute to raddb/dictionary Alan DeKok.
On 8/17/21 3:13 PM, Alan DeKok wrote:
On Aug 17, 2021, at 9:01 AM, Arnaud LAURIOU <arnaud.lauriou@renater.fr> wrote:
In debug mode (FR 3.0.23), I can't find these policies in the attributes list created from the client certificate. You will need to add a dictionary item for them. Only a few X509 attributes are currently defined:
$ git grep -i x509 share/ share/dictionary.freeradius.internal:ATTRIBUTE TLS-Client-Cert-X509v3-Extended-Key-Usage 1927 string share/dictionary.freeradius.internal:ATTRIBUTE TLS-Client-Cert-X509v3-Subject-Key-Identifier 1928 string share/dictionary.freeradius.internal:ATTRIBUTE TLS-Client-Cert-X509v3-Authority-Key-Identifier 1929 string share/dictionary.freeradius.internal:ATTRIBUTE TLS-Client-Cert-X509v3-Basic-Constraints 1930 string share/dictionary.freeradius.internal:ATTRIBUTE TLS-Client-Cert-X509v3-Extended-Key-Usage-OID 1936 string
Run the server in debug mode (-Xx) to see messages like:
Skipping TLS-Client-Cert-X509-Bar += 'foo'. Please check that both the attribute and value are defined in the dictionaries
That gives you the name to use. Then, just add the new attribute to raddb/dictionary Right, got it. Now where can I check its value ? In 'Autz-Type New-TLS-Connection' with check_client_connections ?
Regards
On Aug 17, 2021, at 10:23 AM, Arnaud LAURIOU <arnaud.lauriou@renater.fr> wrote:
Now where can I check its value ? In 'Autz-Type New-TLS-Connection' with check_client_connections ?
You can check its value in any section, any time after you see it show up in the debug output. Alan DeKok.
On 8/17/21 4:27 PM, Alan DeKok wrote:
On Aug 17, 2021, at 10:23 AM, Arnaud LAURIOU <arnaud.lauriou@renater.fr> wrote:
Now where can I check its value ? In 'Autz-Type New-TLS-Connection' with check_client_connections ? You can check its value in any section, any time after you see it show up in the debug output. Ok, my question was not clear. Where can I test its value as soon as it becomes available ? Can I check it in the listen section, in the verify sub-section for example before the authorise section of the virtual server associated ?
Arnaud
On Aug 17, 2021, at 11:47 AM, Arnaud LAURIOU <arnaud.lauriou@renater.fr> wrote:
Where can I test its value as soon as it becomes available ?
In the processing sections... the debug output will show you which sections it's running.
Can I check it in the listen section, in the verify sub-section for example before the authorise section of the virtual server associated ?
You can't put "unlang" into a "listen" section. You can only check attributes inside of a processing section, like "authorize". Alan DeKok.
participants (2)
-
Alan DeKok -
Arnaud LAURIOU