(RADIATOR) Server and Client verification in RADSEC

Mike McCauley mikem at open.com.au
Thu Nov 24 00:31:36 CST 2005 

Hello Jan,


On Tuesday 22 November 2005 21:44, Jan Tomasek wrote:
> Hello Mike,
>
> you were not reading what I wrote. :(( Why to try invent "own" solution
> if there is standard one?
>
> > Therfore I would expect you to set TLS_ExpectedPeerName to such a name
> > or pattern.
>
> I have two clients named radsec1.cesnet.cz and radsec1.tomasek.cz. I
> might set TLS_ExpectedPeerName to radsec1.(cesnet|tomasek).cz. Ok.
> But... How about adding ldap2.bflmpsvz.cz? Now this is no way to go...
>

Thank you for your comments.
We have now made significant changes to the verification of peer certificates 
in RadSec. From the change log:

Improvements to peer certificate verification for RadSec connections.
  The peer IP address (or hostname if resolvable) is verified against
  the certificate CNs, or against the certificate subjectAltNames. Exact
  match and wildcard matches are honoured. If those fail then
  TLS_ExpectedPeerName pattern is matched against the entire Subject
  name. If all those fail, the certificate is not verified and the
  RadSec connection will be terminated. Updated RadSec example configuration
  files. This is all in line with RFC 2595. Suggested by Jan Tomasek.
  Caution, use of subjectAltNames requires patches for Net_SSLeay from 
  <a 
href=http://www.open.com.au/radiator/free-downloads/Net_SSLeay.pm-1.25-SSLeay.xs.patch>this 
patch</a>.


Hope that satisfies your needs.

Cheers.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list