Naming collision on CN in CA certificates (EAP-TLS)

Alan DeKok aland at deployingradius.com
Sat Jun 5 20:02:31 CEST 2021


On Jun 5, 2021, at 1:26 PM, Ash Wilson via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> What I'm trying to do:
> Use multiple CA certificates for authentication of EAP-TLS supplicants. The
> CNs in these CA certificates may be identical.

  I'm not sure that it's permitted in TLS to have multiple CAs with the same CN.

> What I'm expecting:
> FreeRADIUS (via SSL library) should use the authorityKeyID in the
> supplicant's certificate to locate the CA certificate (matching against the
> subjectKeyID) to validate the supplicant's presented certificate.
> 
> What I'm observing:
> FreeRADIUS fails to authenticate client certificates if multiple CA
> certificates exist with the same CN. The CN appears to be the key which
> FreeRADIUS uses to locate the CA certificate.

 Except that FreeRADIUS doesn't do this.  It just hands the TLS data / certs to OpenSSL, and asks "is this OK?"

> More about the test scenario:
> Attempted with two CA certificates as separate certs in cert_dir. Also
> tried with both CA certificates in the same file. As long as the CNs are
> different, authentication happens as desired, with no issues. If the CNs
> collide, auth fails. When I use OpenSSL to verify the client certs against
> the CA certs, OpenSSL authenticates the certs correctly even if the names
> collide.

  I suspect something else is going on there.  i.e. the openssl command-line tool does something different from FreeRADIUS.

  FreeRADIUS loads all of the CAs into memory, and then asks OpenSSL to verify the client cert.  If OpenSSL can't match the client cert to the correct CA, then that's an issue for OpenSSL.

> FreeRADIUS appears to be sharing the responsibility of validating
> the supplicant's certificate with the SSL library, and treating it
> differently than openSSL does when used independently.

  FreeRADIUS doesn't verify the client cert.  That's all TLS / cert magic, and we don't implement that.

  What FreeRADIUS does is to expose the CN / etc. to "unlang", and allows the local admin to write policies based on that.  But any matching of client cert to CA is completely outside of the scope of FreeRADIUS.  We just call the OpenSSL APIs.  If they return "OK", then the cert is valid.  If they return "fail", then the cert is rejected.

  Which version of FreeRADIUS are you using, and which version of OpenSSL?

  You might also try setting "auto_chain = yes".  See mods-available/eap.  That toggles an internal OpenSSL flag for some different behavior.  That might help.

  Alan DeKok.




More information about the Freeradius-Users mailing list