Checking TLS-Cert-* and and accept/reject based on them

Alan DeKok aland at
Fri Feb 3 11:25:30 CET 2012

Matthew Newton wrote:
> However, I looked at and implemented a different solution, which
> seems to work really well. Taking ideas from inner-tunnels and the
> SoH check method, I added a virtual_server option to the tls
> configuration. The rlm_eap_tls code then, just before returning
> success, runs through this virtual server (if given) allowing it
> to check the TLS-Cert* vps, and reject if it wants to based on
> them.

  That's very nice.

> It turns out to be a pretty small patch, and the code path isn't
> touched at all if the virtual_server option is not set. I've
> tested with EAP-TLS and PEAP/EAP-TLS, and both work well.

  I've posted some comments on github.

> I think the next step would be to move the client certificate
> validation, ocsp and other checks as 'modules' in this virtual
> server, but that looks a bit harder as they are done in a openssl
> callback function (cbtls_verify IIRC) - but may not be past the
> realms of possibility.

  I think that's a good idea.  Especially the OCSP code.  It should
really be a pluggable module.

  Alan DeKok.

More information about the Freeradius-Devel mailing list