Another patch for X509 validation

Juan C. Sanchez-DelBarrio carlos.sanchez at
Thu Nov 9 10:16:41 CET 2006

Hi Michal,

I'm sorry, but I said "I follow with the idea of the other developer".
Tbis developer is you, but I didn't remeber of your name. And "Yes", I
used your patch, but I modified it for 1.1.3 version. And "Yes", I have
used badly "we propose".

Best regards,
Michal Prochazka wrote:
> Hello,
> Alan DeKok wrote:
>> "Juan C. Sanchez-DelBarrio" <carlos.sanchez at> wrote:
>>> I follow with the idea of the other developer. In our organization, we
>>> need that you can filter not only using check_cert_cn if not using
>>> organizational-unit (O) of the DN. Firstly, we propose the following
>>> patch using external script where you can define your own filter.
>>   Ok...
> Maybe I don't really understand what Juan mean with "we propose" but
> this patch is made by me and I sent it to this list on 12. 5. 2006
> (Msg ID: 4464493E.6020002 at but without any response from
> Alan or other developers:-( This patch is only for 1.1.0. I also
> made changes to the patch to be usable in freeradius 1.1.2. I'm not
> testing the patch against new versions of freeradius because we are
> running version 1.1.0.
> I also asked in this list if anyone needs the whole certificate to
> be sent to the script, but without any response. I didn't do this
> modification to eap-tls because we need only issuer and subject.
>>> +ATTRIBUTE       X509-Subject                            1102    string
>>> +ATTRIBUTE       X509-Issuer                             1103    string
>> ...
>>> +#define PW_X509_SUBJECT			1100
>>> +#define	PW_X509_ISSUER			1101
>>   That's a typo.
>>   It looks interesting, though.
> And of course my patch didn't contain this typo:-)
> Regards,
> Michal
> ------------------------------------------------------------------------
> - 
> List info/subscribe/unsubscribe? See

Juan C. Sanchez-DelBarrio

More information about the Freeradius-Devel mailing list