Another patch for X509 validation

Michal Prochazka michalp at
Thu Nov 9 09:28:32 CET 2006


Alan DeKok wrote:
> "Juan C. Sanchez-DelBarrio" <carlos.sanchez at> wrote:
>> I follow with the idea of the other developer. In our organization, we
>> need that you can filter not only using check_cert_cn if not using
>> organizational-unit (O) of the DN. Firstly, we propose the following
>> patch using external script where you can define your own filter.
>   Ok...

Maybe I don't really understand what Juan mean with "we propose" but
this patch is made by me and I sent it to this list on 12. 5. 2006
(Msg ID: 4464493E.6020002 at but without any response from
Alan or other developers:-( This patch is only for 1.1.0. I also
made changes to the patch to be usable in freeradius 1.1.2. I'm not
testing the patch against new versions of freeradius because we are
running version 1.1.0.

I also asked in this list if anyone needs the whole certificate to
be sent to the script, but without any response. I didn't do this
modification to eap-tls because we need only issuer and subject.

>> +ATTRIBUTE       X509-Subject                            1102    string
>> +ATTRIBUTE       X509-Issuer                             1103    string
> ...
>> +#define PW_X509_SUBJECT			1100
>> +#define	PW_X509_ISSUER			1101
>   That's a typo.
>   It looks interesting, though.

And of course my patch didn't contain this typo:-)


Michal Prochazka // michalp at

Supercomputing Center Brno
Institute of Computer Science
Masaryk University
Botanicka 68a, 60200 Brno, CZ

CESNET z.s.p.o.
Zikova 4, 16200 Praha 6, CZ
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2920 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the Freeradius-Devel mailing list