Certificate Details Outside TLS Tunnel
Alan DeKok
aland at deployingradius.com
Sat Oct 19 12:24:12 UTC 2024
On Oct 18, 2024, at 11:49 AM, FreeRAD <yetifreerad at gmail.com> wrote:
>
> If I run a TCPDump from one of the clients that is sending Auth-Requests to
> my RADIUS server, I have noticed that in the Access-Challenge messages back
> from the server you can see certificate details that I have put in the
> various cnf files in etc/freeradius/3.0/certs. For example, I can see the
> 'organizationName' and 'emailAddress' from the server.cnf file amongst
> other details and strings of hashed data within the TCPDump output.
>
> I know that the tunnel won't have been established at this point so this in
> particular wouldn't be hiding those details, but is there a need for them
> to be exposed? And if not where would I look to configure my server to hide
> these details from external entities? I know RADSec is preferred but wasn't
> sure if this information was exposed on purpose.
That's how TLS works. You will see the same thing for HTTPS connections which don't use TLS 1.3.
Alan DeKok.
More information about the Freeradius-Users
mailing list