Checking TLS-Cert-* and and accept/reject based on them

Matthew Newton mcn4 at
Fri Feb 3 13:52:20 CET 2012


On Fri, Feb 03, 2012 at 11:25:30AM +0100, Alan DeKok wrote:
> Matthew Newton wrote:
> > However, I looked at and implemented a different solution, which
> > seems to work really well. Taking ideas from inner-tunnels and the
> > SoH check method, I added a virtual_server option to the tls
>   That's very nice.

Thanks :)

> > It turns out to be a pretty small patch, and the code path isn't
> > touched at all if the virtual_server option is not set. I've
> > tested with EAP-TLS and PEAP/EAP-TLS, and both work well.
>   I've posted some comments on github.

I've improved it a lot based on that - it's much neater and
simpler now. I realised that I was needlessly copying in the
certificate VPs that had already been copied, so that's gone.

> > I think the next step would be to move the client certificate
> > validation, ocsp and other checks as 'modules' in this virtual
> > server, but that looks a bit harder as they are done in a openssl
> > callback function (cbtls_verify IIRC) - but may not be past the
> > realms of possibility.
>   I think that's a good idea.  Especially the OCSP code.  It should
> really be a pluggable module.

Will have to stare at the code on this. I struggle to understand
the SSL stuff well, and this looks slightly more complicated due
to the callback function, so I'm not sure where OpenSSL calls it,
or if it could easily be separated out. Will try and have a look.

Couple of updates pushed to



Matthew Newton, Ph.D. <mcn4 at>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Devel mailing list