Checking TLS-Cert-* and and accept/reject based on them

Phil Mayers p.mayers at
Thu Feb 2 17:50:37 CET 2012

On 02/02/2012 04:27 PM, Matthew Newton wrote:

> However, I looked at and implemented a different solution, which
> seems to work really well. Taking ideas from inner-tunnels and the
> SoH check method, I added a virtual_server option to the tls
> configuration. The rlm_eap_tls code then, just before returning
> success, runs through this virtual server (if given) allowing it
> to check the TLS-Cert* vps, and reject if it wants to based on
> them.
> Comments?

Personally, I like the look of this approach; it's very closely 
analogous to how the tunneled mechanisms work.

It might also be a good place to conditionally permit/deny TLS session 
resumption, which at the moment is a bit tricky.

I'm not sure whether it makes sense to do cert validation / OSCP in an 
"inner" tunnel; I suspect that would be quite hard, and require a much 
larger patch. But I don't use either feature, so will withhold judgement.

More information about the Freeradius-Devel mailing list