RADSEC cert validation doesnt seem to work...

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Fri Jun 10 10:50:01 CEST 2011 

Hi,

> >                #  be checked against the DN of the issuer in
> >                #  the client certificate.  If the values do not
> >                #  match, the cerficate verification will fail,
> >                #  rejecting the user.
> 
>   That's only for the client cert.

yes, I'm looking at it , i believe, the right way around - I have a remote
RADSEC client talking to this server - so that remote server is a client...

> > (0) <<< TLS 1.0 Handshake [length 08b8], Certificate  
> > (0) chain-depth=1, 
> 
>   That's the issue: depth=1.  If it was zero, then the check_cert_issuer
> code would apply.
> 
>   Which certificate is being checked here?  Where did it come from?

this is a straight forward cert that has been signed by the eduPKI system - 
no chained certificate IIRC  (though a chained CA shouldnt be an issue either
as many clients are signed by a CA that is chained to a CA....)

<snip>

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: xxxxxxxxxx (0xxxxxxxxxx)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=org, DC=edupki, CN=eduPKI CA G 01
        Validity
            Not Before: Feb 28 08:29:05 2011 GMT
            Not After : Feb 27 08:29:05 2016 GMT
        Subject: DC=net, DC=geant, DC=eduroam, C=GB, O=Loughborough University, CN=server.lboro.ac.uk
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
		<snip>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Key Identifier: 
                <snip>
            X509v3 Authority Key Identifier: 
		<snip>            

            X509v3 Subject Alternative Name: 
                DNS:server.lboro.ac.uk, email:removed at lboro.ac.uk
            X509v3 Certificate Policies: 
		<snip>

            X509v3 CRL Distribution Points: 
                URI:http://cdp.edupki.org/edupki-ca/pub/crl/cacrl.crl

            Authority Information Access: 
                OCSP - URI:http://ocsp.edupki.org/OCSP-Server/OCSP
                CA Issuers - URI:http://cdp.edupki.org/edupki-ca/pub/cacert/cacert.crt


I've removed some things for privacy/security...and other bits because I'm not too familiar
with eduPKI policy on disclosure - eg OID policies...

alan

More information about the Freeradius-Devel mailing list