[RADIATOR] Request for TLS_SubjectAltNameDNS check
Jan Tomasek
jan at tomasek.cz
Wed Oct 11 17:28:15 UTC 2017
Hello,
I'm working as NREN eduroam operator at CESNET. We have connected about
150 RADSEC peers using a config like this:
<Handler RecvFromAddress=/^(?!195.113.xx.x$)/o, Realm=vsup.cz>
Identifier vsup_cz
<AuthBy RADSEC>
#Host radius.vsup.cz
Host 195.113.xx.x
Secret radsec
LocalAddress 195.113.xxx.xx
TLS_Protocols TLSv1, TLSv1.1, TLSv1.2
TLS_CAPath /etc/ssl/certs
TLS_CertificateFile /etc/ssl/certs/radius1.eduroam.cz.crt
TLS_CertificateType PEM
TLS_PrivateKeyFile /etc/ssl/private/radius1.eduroam.cz.key
TLS_CRLCheck
TLS_CRLFile /etc/ssl/crl/*.r0
TLS_ExpectedPeerName CN=(|.+/)radius.vsup.cz(|/emailAddress=.+)$
</AuthBy>
AuthLog FTICKS
AuthLog FTICKS-FULL
AuthLog defaultAuthLog
</Handler>
Originally we were using hostnames, but as our eduroam federation was
growing Radiator start was going to be slower and slower. Delay was
indeterministic and was caused by hostname to IP translation, so we
switched to IP addresses. But IP addresses are complicating peer
verification. At this moment we are using TLS_ExpectedPeerName but our
peers sometimes try to use a certificate which has no right SubjectDN,
it would be better to be able to verify SubjectAltName:DNS. Is there any
chance to get this implemented? Something like TLS_SubjectAltNameURI but
for DNS?
Thanks
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
More information about the radiator
mailing list