How to check values of TLS-Client-Cert-X509v3-Extended-Key-Usage-OID attribute ?
Alan DeKok
aland at deployingradius.com
Wed Mar 24 12:32:47 CET 2021
On Mar 24, 2021, at 5:36 AM, Arnaud LAURIOU <arnaud.lauriou at renater.fr> wrote:
> I would like to check the values of the TLS-Client-Cert-X509v3-Extended-Key-Usage-OID
> attribute contained in a client's certificate when establishing an incoming RadSec
> connection on a proxy server.
>
> If those values match known strings then process the request else close the RadSec
> connection.
>
> How can I do that with FR 3.0.21 ?
Read the debug output. It prints out which TLS-Clinet-Cert attributes are available, where they go, and what their values are.
But... the main issue is that the server doesn't support applying policies to the incoming socket. See src/main/tls_listen.c:
/*
* FIXME: Run the request through a virtual
* server in order to see if we like the
* certificate presented by the client.
*/
:(
The real solution is to rely on the TLS framework. If you don't like a certificate, then revoke it.
What are the circumstances where you don't control the cert issue, but do want to check the various cert fields?
Alan DeKok.
More information about the Freeradius-Users
mailing list