Check the subject and issuer in the EAP-TLS

Michal Prochazka michalp at
Fri May 12 14:58:56 CEST 2006

>   IMHO, it is very breakable script: it compare only strings (issuer 
> name, subject, etc), which can be forged easily. IMHO, we need to check 
> sha1/md5 signatures of CA certificates, not strings.

I don't agree with you. Freeradius checks that the certificate is issued 
by one of the CA defined in config of EAP-TLS. And then this script 
compare the subject, you cannot forged it. And of course this patch can 
be easily enhanced to export sha1/md5 signatures.

This patch is made directly for our needs. We have autogenerated file 
which contains the subject names of allowed certificates. Our CA is part 
of EUGridPMA and their policy is that there cannot be two certificates 
with the same subject.

Michal Prochazka // michalp at

Supercomputing Center Brno
Institute of Computer Science
Masaryk University
Botanicka 68a, 60200 Brno, CZ

CESNET z.s.p.o.
Zikova 4, 16200 Praha 6, CZ
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2920 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the Freeradius-Users mailing list