[RADIATOR] EAP-TLS question

Markus Moeller huaraz at moeller.plus.com
Tue Mar 30 14:25:41 CDT 2010


Hi Hugh,

I didn't get it to work with SSLeay alone, but it seems to work with 
Crypt::OpenSSL::X509.

Thank you
Markus

#
sub {

  use Crypt::OpenSSL::X509;

# Pointer to request structure
  my $p0 = $_[0];    # $matchdn
  my $p1 = $_[1];    # $x509_store_ctx
  my $p2 = $_[2];    # $cert
  my $p3 = $_[3];    # $subject_name
  my $p4 = $_[4];    # $subject
  my $p = $_[5];     # $p Radius Request

  &main::log($main::LOG_DEBUG,"EAPTLS_CertificateVerifyHook matchDN: $p0");

  my $x509 = 
Crypt::OpenSSL::X509->new_from_string(&Net::SSLeay::PEM_get_string_X509($p2));
  my $ext = &Crypt::OpenSSL::X509::extensions_by_name($x509);
  my @extendedKeyUsage = 
&Crypt::OpenSSL::X509::Extension::extKeyUsage($ext->{extendedKeyUsage});

  &main::log($main::LOG_DEBUG,"EAPTLS_CertificateVerifyHook EKU: 
@extendedKeyUsage");

  my $clientAuth = grep { /clientAuth/ } ( @extendedKeyUsage );
  my $clientAny = grep { /anyExtendedKeyUsage/ } ( @extendedKeyUsage );
  if ( $clientAuth == 0 && $clientAny == 0 ) {
      &main::log($main::LOG_ERROR,"EAPTLS_CertificateVerifyHook certificate 
without client authentication key usage");
      return undef;
  }

}




----- Original Message ----- 
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Tuesday, March 30, 2010 2:41 AM
Subject: Re: [RADIATOR] EAP-TLS question



Hello Markus -

Apparently it is more complicated than that.

See for example:

http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/ssl.c

verify_cert_eku()

regards

Hugh


On 30 Mar 2010, at 07:57, Markus Moeller wrote:

> Hi Hugh
>
>  I tried the below to check if the certificate is a certificate for client 
> authentication.
>
> #
> # EAPTLS_CertificateVerifyHook:
> #
> #   Check if certificate is for client authentication
> #
> #
> sub {
>
> # Pointer to request structure
> my $p0 = $_[0]; # $matchdn
> my $p1 = $_[1]; # $x509_store_ctx
> my $p2 = $_[2]; # $cert
> my $p3 = $_[3]; # $subject_name
> my $p4 = $_[4]; # $subject
> my $p = $_[5]; # $p Radius Request
>
> &main::log($main::LOG_DEBUG,"EAPTLS_CertificateVerifyHook DN: $p0");
>
> my $usage =  &Net::SSLeay::X509_NAME_get_text_by_NID($p3, 
> &Net::SSLeay::NID_ext_key_usage);
>
> &main::log($main::LOG_DEBUG,"EAPTLS_CertificateVerifyHook result: 
> $usage");
>
> }
>
> but I don't get the extented key usage info, which should show that the 
> certificate is for "client authentication".
>
> Mon Mar 29 15:46:47 2010: DEBUG: EAPTLS_CertificateVerifyHook DN: 
> user at COMPANY.COM
> Mon Mar 29 15:46:47 2010: DEBUG: EAPTLS_CertificateVerifyHook result:
>
> I would expect this to be checked by anyone who uses 802.1x.  Has someone 
> an example how to do this check ?
>
> Markus
>
>
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Sent: Sunday, March 21, 2010 5:28 AM
> Subject: Re: [RADIATOR] EAP-TLS question
>
>
>
> Hello Markus -
>
> Radiator does not check the usage, but you can use an 
> EAPTLS_CertificateVerifyHook to check if you wish.
>
> See section 5.18.47 in the Radiator 4.6 reference manual ("doc/ref.pdf").
>
> regards
>
> Hugh
>
>
> On 20 Mar 2010, at 21:41, Markus Moeller wrote:
>
>> Hi Hugh,
>>
>>    Sorry I mean certificates have sometimes a usage e.g.
>>
>> Encrypting File System (1.3.6.1.4.1.311.10.3.4)
>>
>> Secure Email (1.3.6.1.5.5.7.3.4)
>>
>> Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
>>
>> Client Authentication (1.3.6.1.5.5.7.3.2)
>>
>> Server Authentication (1.3.6.1.5.5.7.3.1)
>>
>> IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
>>
>>
>>    So would radiator accept a certificate for EAP-TLS client 
>> authentication if the certificate has not the usage "Client 
>> Authentication" but only "Secure Email " ?
>>
>> Markus
>>
>>
>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>> Cc: <radiator at open.com.au>
>> Sent: Saturday, March 20, 2010 7:01 AM
>> Subject: Re: [RADIATOR] EAP-TLS question
>>
>>
>>
>> Hello Markus -
>>
>> I'm not exactly sure what you mean here, but yes Radiator uses 
>> Net-SSLeay/OpenSSL for most certificate operations.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 20 Mar 2010, at 05:33, Markus Moeller wrote:
>>
>>> Hi,
>>>
>>> Does radiator verify the client certificate constraints or is that 
>>> implicit done through the SSL  calls ?
>>>
>>> Thank you
>>> Markus
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive 
>> (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>>
>>
>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>
>
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.








More information about the radiator mailing list