eaptls CN case insensitive checking

leopold vova_b at yahoo.com
Thu Sep 24 20:01:19 CEST 2009

When using check_cert_cn option in eap.conf and when some old Windows
supplicants send certificate FreeRADIUS fails when comparing "identity" and
cert.CN because username/machine case does not match.
Most often supplicant client sends identity which corresponds to cert.CN
(exact match), we can't explain why sometimes it sends wrong case

Would it be beneficial to have a configuration option and force FreeRADIUS
to compare CN with ignore case option?
If you feel this is a good option I can supply diff file for 2.1.7

Something like new option in  rlm_eap_tls.c
       { "ignore_case_cn_check", PW_TYPE_BOOLEAN,
         offsetof(EAP_TLS_CONF, ignore_case_cn_check), NULL, "yes" },

if (strcmp(cn_str, common_name) != 0) {
    int strcmpRet=0;
    if (conf->ignore_case_cn_check) {
            strcmpRet = strcasecmp(cn_str, common_name);
    else {
            strcmpRet = strcmp(cn_str, common_name);

View this message in context: http://www.nabble.com/eaptls-CN-case-insensitive-checking-tp25578025p25578025.html
Sent from the FreeRadius - Dev mailing list archive at Nabble.com.

More information about the Freeradius-Devel mailing list