rlm_eap_tls restrict issuer

Benjamin Bennett ben at psc.edu
Thu Mar 9 18:09:08 CET 2006

On Mon, 2006-03-06 at 17:40 -0500, Alan DeKok wrote:
> Benjamin Bennett <ben at psc.edu> wrote:
> > For example, if we have a root CA (A), that issues another CA cert (B),
> > from which our client certs will be issued, our CA_file must contain
> > both A & B certs to validate our clients. However, certs issued directly
> > from A will then also be valid.
>   Yes, this is currently how it works.  There's no real reason, other
> than no one has added code to distinguish one cert from another.
> > I'm about to add a check_cert_issuer (PW_TYPE_STRING_PTR) config option
> > set to the DN of the issuer we want to use, and a string compare in
> > cbtls_verify() just before the check_cert_cn happens. Does that sound
> > about right?
>   It should work.  Please submit the patch to bugs.freeradius.org, so
> others can use it, too.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20060309/5a6db37d/attachment.pgp>

More information about the Freeradius-Devel mailing list