Read TLS Client cert outside of authentication

Alan DeKok aland at
Fri Feb 28 23:40:09 CET 2014

Travis Dimmig wrote:
> Is it possible to read fields of the client cert divorced from the act
> of authenticating with it?  Specifically, I have a FreeRADIUS server
> that proxies the authentication requests to have the actual
> authentication done by another, but I want to be able to inspect the
> value of the CommonName from the server doing the proxying.

  i.e. decode the EAP protocol, then decode and reconstruct TLS, then
pull the cert out of the reconstructed TLS session.

  That's hard.  I welcome a patch, but it would be complicated.

>  The
> examples in the post-auth section show exactly the kind of control I
> want, where the values of cert fields are populated in FreeRADIUS
> internal attributes, but I need access to them from the server that is
> otherwise just proxying the requests.

  <shrug>  Maybe Wireshark would be useful here.  It has some TLS
reconstruction code.

> I thought of having the authentication server add the values back into
> the reply, but an ideal solution would not require any changes on the
> authentication server.

  That would be simplest.

  Alan DeKok.

More information about the Freeradius-Users mailing list