[RADIATOR] Request for TLS_SubjectAltNameDNS check

Jan Tomasek jan at tomasek.cz
Wed Oct 11 17:28:15 UTC 2017


I'm working as NREN eduroam operator at CESNET. We have connected about 
150 RADSEC peers using a config like this:

<Handler RecvFromAddress=/^(?!195.113.xx.x$)/o, Realm=vsup.cz>
   Identifier            vsup_cz
   <AuthBy RADSEC>
     #Host                radius.vsup.cz
     Host                195.113.xx.x
     Secret              radsec

     LocalAddress        195.113.xxx.xx

     TLS_Protocols       TLSv1, TLSv1.1, TLSv1.2
     TLS_CAPath          /etc/ssl/certs
     TLS_CertificateFile /etc/ssl/certs/radius1.eduroam.cz.crt
     TLS_CertificateType PEM
     TLS_PrivateKeyFile  /etc/ssl/private/radius1.eduroam.cz.key
     TLS_CRLFile /etc/ssl/crl/*.r0
     TLS_ExpectedPeerName CN=(|.+/)radius.vsup.cz(|/emailAddress=.+)$

   AuthLog               FTICKS
   AuthLog               FTICKS-FULL
   AuthLog               defaultAuthLog

Originally we were using hostnames, but as our eduroam federation was 
growing Radiator start was going to be slower and slower. Delay was 
indeterministic and was caused by hostname to IP translation, so we 
switched to IP addresses.  But IP addresses are complicating peer 
verification. At this moment we are using TLS_ExpectedPeerName but our 
peers sometimes try to use a certificate which has no right SubjectDN, 
it would be better to be able to verify SubjectAltName:DNS. Is there any 
chance to get this implemented? Something like TLS_SubjectAltNameURI but 
for DNS?


Jan Tomasek aka Semik

More information about the radiator mailing list