PEAP correct client certificate
Alan DeKok
aland at deployingradius.com
Mon Nov 20 22:19:19 CET 2017
On Nov 20, 2017, at 3:58 PM, Brian Julin <BJulin at clarku.edu> wrote:
> I can see that the flags only get set in tls_new_session if the client_cert boolean
> is asserted. But in that case it also unconditionally sets SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
Yes. But again... that's only for the case when a client cert is required.
> What I'm talking about here is the same server serving both PEAP clients with certificates
> and PEAP clients without certificates, and still being able to access the TLS-Client-* variables
> in post-auth if/when the client did provide a cert.
Yes, that works. I've tested it.
If you require a client cert for user A, you *don't* need to require a client cert for user B.
> My understanding is that SSL_VERIFY_PEER controls whether the server
> requests a certificate, and that FreeRADIUS only sets that when it is requiring
> certificates, so there's no avenue for "request a certificate, validate it if the client
> responds with one, but if no certificate was offered proceed anyway and decide what to
> do about that later on in unlang."
Pretty much.
> ...pretty much the same thing as in both other places where those flags are referenced. Nothing
> sets SSL_VERIFY_PEER without also setting SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
> Is it something internal to OpenSSL? I admit I don't know that API much at all.
It's in our code, it's not in OpenSSL.
I suppose with a bit of poking, you could add a FreeRADIUS flag saying "request client cert, but don't require it"
I'm not sure why that would be useful, tho.
Alan DeKok.
More information about the Freeradius-Users
mailing list