Naming collision on CN in CA certificates (EAP-TLS)
ash.wilson at valimail.com
Sat Jun 5 19:26:24 CEST 2021
Before I open a bug report in Github, I'm hoping that someone else has seen
this issue and can advise on a work-around.
What I'm trying to do:
Use multiple CA certificates for authentication of EAP-TLS supplicants. The
CNs in these CA certificates may be identical.
What I'm expecting:
FreeRADIUS (via SSL library) should use the authorityKeyID in the
supplicant's certificate to locate the CA certificate (matching against the
subjectKeyID) to validate the supplicant's presented certificate.
What I'm observing:
FreeRADIUS fails to authenticate client certificates if multiple CA
certificates exist with the same CN. The CN appears to be the key which
FreeRADIUS uses to locate the CA certificate.
More about the test scenario:
Attempted with two CA certificates as separate certs in cert_dir. Also
tried with both CA certificates in the same file. As long as the CNs are
different, authentication happens as desired, with no issues. If the CNs
collide, auth fails. When I use OpenSSL to verify the client certs against
the CA certs, OpenSSL authenticates the certs correctly even if the names
collide. FreeRADIUS appears to be sharing the responsibility of validating
the supplicant's certificate with the SSL library, and treating it
differently than openSSL does when used independently.
*Ash Wilson* | Technical Director
*e:* ash.wilson at valimail.com
This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
More information about the Freeradius-Users