rlm_rest and certificates - evolution proposal

Chaigneau, Nicolas nicolas.chaigneau at capgemini.com
Wed Jan 24 17:16:28 CET 2018


I'd like to discuss module rlm_rest and how it handles certificates.

I think parameter "ca_file" has a confusing name, and is not adequate for all cases.
This parameter allows to set curl option "CURLOPT_ISSUERCERT".
This is a file that contains one single CA, which is the issuer of the certificate provided by the remote server.

In the past I've struggled with this option as it seemed to behave differently between factory and production.
The answer was that on production they have a multi-level CA hierarchy, and were using a bundle of certificates, so it did not work (unless the first certificate in the file was the issuer itself).

IMO what we need is to allow to set curl option "CURLOPT_CAINFO". If this option is not set, curl will try to validate the CA chain using a default location, and it will fail.

So I'd like to propose the following evolution:

1) Keep option "CURLOPT_ISSUERCERT", it's useful. But the parameter "ca_file" is confusing, so it should be renamed. How about "issuer_cert_file" ? (trying to be consistent with curl option name and other FreeRADIUS parameters)

2) Add support for option "CURLOPT_CAINFO". Maybe a new parameter named "ca_info_file" ?

3) Comment this in the rest module configuration example.

If you agree with this proposal, I can do a patch for 3.0.x.

In any case, I'd like to hear your opinion on this.



This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

More information about the Freeradius-Devel mailing list