EAP-TLS: check TLS-Client-Cert with unlang
Stefan Hartmann
stefanh at hafenthal.de
Mon Jan 9 19:57:05 UTC 2023
Hi list,
I updated freeradius on an Devuan machine from 3.0.17 to 3.2.1.
Formerly I checked the client certificate in the virtual server
check-eap-tls with the following unlang construct to extract the real
User-Name from the certificate:
...
if ((&TLS-Client-Cert-Subject-Alt-Name-Email) &&
(&TLS-Client-Cert-Subject-Alt-Name-Email =~ /@/)) {
update request {
&User-Name :=
&TLS-Client-Cert-Subject-Alt-Name-Email
}
} elsif (&TLS-Client-Cert-Common-Name) {
update request {
&User-Name := &TLS-Client-Cert-Common-Name
}
} else {
reject
}
...
In the client certificate file there is also the root ca certificate,
and in the former version the second certificate was the client
certificate and the code evaluates correct without thoroughly thinking
about. Now, the attributes like TLS-Client-Cert-Serial evaluate to the
first certificate ie the root ca certificate and the above unlang code
return the false User-Name.
I want to improve the code and need some hints.
I want to iterate over eg &TLS-Client-Cert-Serial[*],
search the cert with
&TLS-Client-Cert-X509v3-Basic-Constraints[i] =~ /CA:FALSE/,
and then extract the User-Name from
&TLS-Client-Cert-Subject-Alt-Name-Email[i] or
&TLS-Client-Cert-Common-Name[i]
How can I get the correct index i from eg foreach
&TLS-Client-Cert-Serial to reference to the
&TLS-Client-Cert-Subject-Alt-Name-Email[i], for example.
A quick fix was to use [n] and choose the last certificate in the file,
but this is not clean.
--
stefan hartmann
More information about the Freeradius-Users
mailing list