RADSEC cert validation doesnt seem to work...
A.L.M.Buxey at lboro.ac.uk
Fri Jun 10 10:50:01 CEST 2011
> > # be checked against the DN of the issuer in
> > # the client certificate. If the values do not
> > # match, the cerficate verification will fail,
> > # rejecting the user.
> That's only for the client cert.
yes, I'm looking at it , i believe, the right way around - I have a remote
RADSEC client talking to this server - so that remote server is a client...
> > (0) <<< TLS 1.0 Handshake [length 08b8], Certificate
> > (0) chain-depth=1,
> That's the issue: depth=1. If it was zero, then the check_cert_issuer
> code would apply.
> Which certificate is being checked here? Where did it come from?
this is a straight forward cert that has been signed by the eduPKI system -
no chained certificate IIRC (though a chained CA shouldnt be an issue either
as many clients are signed by a CA that is chained to a CA....)
Version: 3 (0x2)
Serial Number: xxxxxxxxxx (0xxxxxxxxxx)
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=org, DC=edupki, CN=eduPKI CA G 01
Not Before: Feb 28 08:29:05 2011 GMT
Not After : Feb 27 08:29:05 2016 GMT
Subject: DC=net, DC=geant, DC=eduroam, C=GB, O=Loughborough University, CN=server.lboro.ac.uk
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
Exponent: 65537 (0x10001)
X509v3 Basic Constraints: critical
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
X509v3 Subject Alternative Name:
DNS:server.lboro.ac.uk, email:removed at lboro.ac.uk
X509v3 Certificate Policies:
X509v3 CRL Distribution Points:
Authority Information Access:
OCSP - URI:http://ocsp.edupki.org/OCSP-Server/OCSP
CA Issuers - URI:http://cdp.edupki.org/edupki-ca/pub/cacert/cacert.crt
I've removed some things for privacy/security...and other bits because I'm not too familiar
with eduPKI policy on disclosure - eg OID policies...
More information about the Freeradius-Devel