Logging EAP-TLS certificate details
Martin Pauly
pauly at hrz.uni-marburg.de
Wed Mar 24 21:59:58 CET 2021
Hello,
ernestly: This discussion is a real pity. The matter is complex,
and the questions raised may be relevant for more users.
Could everyone please take the personal fierceness out of the dispute
and stick to the technical points? Unfortunately, my experience
with EAP-TLS is very limited, but obviously we would prefer it
for our Clients in the future, too.
Watching discussions on this list is often a good way
to see what problems might lie ahead when, e.g. using
a feature you have not used before. So I would really like to
understand things, but it seems sort of hard to match the two points of view.
Roberto: We DO need to log bulletproof cert details like serial number.
Alan: Go set up your clients in a sane way, then you get your correlation for free.
Roberto: We already try, but vendors won't play along.
Alan: Then we are far from standards, and the default config cannot cover every weird situation that might arise.
But there's always a way to fix it through the config.
Roberto: But the default config/FR's processing MUST cover this, otherwise it a crap, security-wise.
Roberto, you've really dived deeply into your specific kind of problem.
Why not submit patches that try to improve the default config, if it is this clear
what is missing? I would really be interested to see what exactly should change.
What I haven't understood so far: Given Roberto's situation, _can_ you tweak
the config to log the data he wants, or would you need to change the processing
at some point (e.g. changing openssl lib calls to extract more information)?
Martin
--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly at HRZ.Uni-Marburg.DE
D-35032 Marburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5391 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20210324/7f5ea1d1/attachment.bin>
More information about the Freeradius-Users
mailing list