Support for check_cert_subjectAltName?
Graham Leggett
minfrin at sharp.fm
Sun Jan 8 18:20:26 CET 2012
On 08 Jan 2012, at 5:01 PM, Alan DeKok wrote:
>> When using client certificates in EAP-TLS, the check_cert_cn option exists that allows you to check that the username matches the CN. Is there a corresponding option somewhere that will allow you to verify the User-Name against the subjectAltName instead?
>
> In the latest version of the server, see
> raddb/sites-available/default. Look for TLS-Cert
That wasn't quite what I was after, but rather a generic way to ensure the User-Name matches either dnsName or rfc822Name in the subjectAltName, depending on whether the peer was a host or a person.
Turned out the patch to implement this was simple, for freeradius-server-master:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius-master-check_cert_san.patch
Type: application/octet-stream
Size: 4170 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120108/12880cca/attachment.obj>
-------------- next part --------------
And this is the same patch, backported to v2.1.x:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius-check_cert_san.patch
Type: application/octet-stream
Size: 3627 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120108/12880cca/attachment-0001.obj>
-------------- next part --------------
It adds a check_user_san option, which some googling showed past people have asked about.
Regards,
Graham
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4365 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120108/12880cca/attachment.bin>
More information about the Freeradius-Users
mailing list