[RADIATOR] EAP-TLS question
Markus Moeller
huaraz at moeller.plus.com
Tue Mar 30 14:25:41 CDT 2010
Hi Hugh,
I didn't get it to work with SSLeay alone, but it seems to work with
Crypt::OpenSSL::X509.
Thank you
Markus
#
sub {
use Crypt::OpenSSL::X509;
# Pointer to request structure
my $p0 = $_[0]; # $matchdn
my $p1 = $_[1]; # $x509_store_ctx
my $p2 = $_[2]; # $cert
my $p3 = $_[3]; # $subject_name
my $p4 = $_[4]; # $subject
my $p = $_[5]; # $p Radius Request
&main::log($main::LOG_DEBUG,"EAPTLS_CertificateVerifyHook matchDN: $p0");
my $x509 =
Crypt::OpenSSL::X509->new_from_string(&Net::SSLeay::PEM_get_string_X509($p2));
my $ext = &Crypt::OpenSSL::X509::extensions_by_name($x509);
my @extendedKeyUsage =
&Crypt::OpenSSL::X509::Extension::extKeyUsage($ext->{extendedKeyUsage});
&main::log($main::LOG_DEBUG,"EAPTLS_CertificateVerifyHook EKU:
@extendedKeyUsage");
my $clientAuth = grep { /clientAuth/ } ( @extendedKeyUsage );
my $clientAny = grep { /anyExtendedKeyUsage/ } ( @extendedKeyUsage );
if ( $clientAuth == 0 && $clientAny == 0 ) {
&main::log($main::LOG_ERROR,"EAPTLS_CertificateVerifyHook certificate
without client authentication key usage");
return undef;
}
}
----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Markus Moeller" <huaraz at moeller.plus.com>
Cc: <radiator at open.com.au>
Sent: Tuesday, March 30, 2010 2:41 AM
Subject: Re: [RADIATOR] EAP-TLS question
Hello Markus -
Apparently it is more complicated than that.
See for example:
http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/ssl.c
verify_cert_eku()
regards
Hugh
On 30 Mar 2010, at 07:57, Markus Moeller wrote:
> Hi Hugh
>
> I tried the below to check if the certificate is a certificate for client
> authentication.
>
> #
> # EAPTLS_CertificateVerifyHook:
> #
> # Check if certificate is for client authentication
> #
> #
> sub {
>
> # Pointer to request structure
> my $p0 = $_[0]; # $matchdn
> my $p1 = $_[1]; # $x509_store_ctx
> my $p2 = $_[2]; # $cert
> my $p3 = $_[3]; # $subject_name
> my $p4 = $_[4]; # $subject
> my $p = $_[5]; # $p Radius Request
>
> &main::log($main::LOG_DEBUG,"EAPTLS_CertificateVerifyHook DN: $p0");
>
> my $usage = &Net::SSLeay::X509_NAME_get_text_by_NID($p3,
> &Net::SSLeay::NID_ext_key_usage);
>
> &main::log($main::LOG_DEBUG,"EAPTLS_CertificateVerifyHook result:
> $usage");
>
> }
>
> but I don't get the extented key usage info, which should show that the
> certificate is for "client authentication".
>
> Mon Mar 29 15:46:47 2010: DEBUG: EAPTLS_CertificateVerifyHook DN:
> user at COMPANY.COM
> Mon Mar 29 15:46:47 2010: DEBUG: EAPTLS_CertificateVerifyHook result:
>
> I would expect this to be checked by anyone who uses 802.1x. Has someone
> an example how to do this check ?
>
> Markus
>
>
> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
> To: "Markus Moeller" <huaraz at moeller.plus.com>
> Sent: Sunday, March 21, 2010 5:28 AM
> Subject: Re: [RADIATOR] EAP-TLS question
>
>
>
> Hello Markus -
>
> Radiator does not check the usage, but you can use an
> EAPTLS_CertificateVerifyHook to check if you wish.
>
> See section 5.18.47 in the Radiator 4.6 reference manual ("doc/ref.pdf").
>
> regards
>
> Hugh
>
>
> On 20 Mar 2010, at 21:41, Markus Moeller wrote:
>
>> Hi Hugh,
>>
>> Sorry I mean certificates have sometimes a usage e.g.
>>
>> Encrypting File System (1.3.6.1.4.1.311.10.3.4)
>>
>> Secure Email (1.3.6.1.5.5.7.3.4)
>>
>> Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
>>
>> Client Authentication (1.3.6.1.5.5.7.3.2)
>>
>> Server Authentication (1.3.6.1.5.5.7.3.1)
>>
>> IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
>>
>>
>> So would radiator accept a certificate for EAP-TLS client
>> authentication if the certificate has not the usage "Client
>> Authentication" but only "Secure Email " ?
>>
>> Markus
>>
>>
>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>> Cc: <radiator at open.com.au>
>> Sent: Saturday, March 20, 2010 7:01 AM
>> Subject: Re: [RADIATOR] EAP-TLS question
>>
>>
>>
>> Hello Markus -
>>
>> I'm not exactly sure what you mean here, but yes Radiator uses
>> Net-SSLeay/OpenSSL for most certificate operations.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 20 Mar 2010, at 05:33, Markus Moeller wrote:
>>
>>> Hi,
>>>
>>> Does radiator verify the client certificate constraints or is that
>>> implicit done through the SSL calls ?
>>>
>>> Thank you
>>> Markus
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive
>> (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>>
>>
>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
>
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list