Check the subject and issuer in the EAP-TLS
Michal Prochazka
michalp at ics.muni.cz
Fri May 12 14:58:56 CEST 2006
> IMHO, it is very breakable script: it compare only strings (issuer
> name, subject, etc), which can be forged easily. IMHO, we need to check
> sha1/md5 signatures of CA certificates, not strings.
I don't agree with you. Freeradius checks that the certificate is issued
by one of the CA defined in config of EAP-TLS. And then this script
compare the subject, you cannot forged it. And of course this patch can
be easily enhanced to export sha1/md5 signatures.
This patch is made directly for our needs. We have autogenerated file
which contains the subject names of allowed certificates. Our CA is part
of EUGridPMA and their policy is that there cannot be two certificates
with the same subject.
--
Michal Prochazka // michalp at ics.muni.cz
Supercomputing Center Brno
Institute of Computer Science
Masaryk University
Botanicka 68a, 60200 Brno, CZ
CESNET z.s.p.o.
Zikova 4, 16200 Praha 6, CZ
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2920 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060512/b44aa53c/attachment.bin>
More information about the Freeradius-Users
mailing list