(RADIATOR) Server and Client verification in RADSEC

Jan Tomasek jan at tomasek.cz
Thu Nov 24 01:47:04 CST 2005


Hello Mike,

> Improvements to peer certificate verification for RadSec connections.
>   The peer IP address (or hostname if resolvable) is verified against
>   the certificate CNs, or against the certificate subjectAltNames. Exact
> [...]

Thanks for your work! I admire how fast you did it. But that still is
not right. Please forgot about DNS. Real life example:

My institution level radius server is named radius1.cesnet.cz but that
is just CNAME to ldap1.cesnet.cz. Radiator ofcourse got certificate with
radius1.cesnet.cz. If this sever will be connecting to RADSEC server:

 - sever do accept and see IP => 195.113.144.226
 - reverse IP to hostname => ldap1.cesnet.cz
 - check of dNSName in certificate => client (radius1) refused

that is not good. Server and Client can't use DNS as source of any
autoritative information about peer. Identity of both of them is assured
by signing CA.

If you have more questions, not answered by my first mail please feel
free to ask. I will try to provide some more real examples to show that
those guys who were designing this and who write that RFC did realy good
work.

PS: I will be today offline, but I will try to answer at night.

Best regards
-- 
--------------------------------------------------------------
Jan Tomasek aka Semik           work: CESNET, z.s.p.o.
http://www.tomasek.cz/                Zikova 4, 160 00 Praha 6
phone(work): +420 2 2435 5279         Czech Republic
phone(home): +420 312 661 386         http://www.cesnet.cz/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://www.open.com.au/pipermail/radiator/attachments/20051124/9d128a00/attachment.bin>


More information about the radiator mailing list