Checking TLS-Cert-* and and accept/reject based on them

Matthew Newton mcn4 at
Wed Feb 8 15:04:19 CET 2012


On Wed, Feb 08, 2012 at 11:47:57AM +0100, Alan DeKok wrote:
>   My only comment is that the patch is against the v2.1.x branch.  Major
> new functionality needs to go into the "master" branch.

That's fine - I thought it was probably a bit on the edge as to
whether it would be suitable for v2.1.x (the whole lot is disabled
by one big 'if', so without the virtual-server option, it's all a

I'm running 2.1.x for production, hence doing it for that.
Although I'm wondering now if I might just jump to master for some
of the servers. More testing, and anyway, what can go wrong? ;-)

On Wed, Feb 08, 2012 at 12:00:40PM +0100, Alan DeKok wrote:
> Matthew Newton wrote:
> > I've just built a service with this, and there are couple of nice
> > things that I didn't expect (I was just hoping to do some unlang
> > on the certificate data!)
>   OK.  After some minor persuasion, I've committed it to the "master"
> branch.
>   Let me know if there are any issues.

Thanks! - I'll check it and see.

>   Can you update the sites-available/check-eap-tls file with more
> examples?  like a detail file && LDAP checks, as you said in your email.
>  That would help document some neat new features.

Will do.



Matthew Newton, Ph.D. <mcn4 at>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Devel mailing list