PEAP correct client certificate

Brian Julin BJulin at clarku.edu
Mon Nov 20 21:58:23 CET 2017 


Alan DeKok wrote:
> On Nov 20, 2017, at 3:16 PM, Brian Julin <BJulin at clarku.edu> wrote:
> > As an aside/tangent to this, I'm wondering if I am reading the code right or missing
> > something... every place that SSL_VERIFY_CLIENT is set,
> > SSL_VERIFY_FAIL_IF_NO_PEER_CERT is also set.  So as far as I can see,
> > there is no way to make client certificates optional with PEAP.\
> 
>   Those flags are set in the SSL* structure.  i.e. the one setting up *this* connection.
> 
>   The function creating the default SSL_CTX *does* set those flags.  But the "create this SSL" function clears them, if there's no requirement for client certs.
> 
>   I've tested PEAP using eapol_text with / without client certs.  It works.

I can see that the flags only get set in tls_new_session if the client_cert boolean
is asserted.  But in that case it also unconditionally sets SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
Maybe I'm just missing exactly where that can get cleared.  Is the "create this SSL" function
something other than that?

What I'm talking about here is the same server serving both PEAP clients with certificates
and PEAP clients without certificates, and still being able to access the TLS-Client-* variables
in post-auth if/when the client did provide a cert.

>  If the client cert has expired, you don't really get MSCHAP auth.  The connection usually just drops in the TLS layer.

I'm assuming one could teach their validator to "ignore" the expiry date so a decision about
what to do about that could be deferred until unlang.  I have no idea whether the
OpenSSL utility makes that easy or not.

>  No.. the client *doesn't* send a client certificate unless it's (a) been configured on the client, and (b) requested by the server.

My understanding is that SSL_VERIFY_PEER controls whether the server
requests a certificate, and that FreeRADIUS only sets that when it is requiring
certificates, so there's no avenue for "request a certificate, validate it if the client
responds with one, but if no certificate was offered proceed anyway and decide what to
do about that later on in unlang."

if (client_cert) {
                RDEBUG2("Requiring client certificate");
                verify_mode = SSL_VERIFY_PEER;
                verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
                verify_mode |= SSL_VERIFY_CLIENT_ONCE;
        }

...pretty much the same thing as in both other places where those flags are referenced.  Nothing
sets SSL_VERIFY_PEER without also setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
Is it something internal to OpenSSL?  I admit I don't know that API much at all.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list