[RADIATOR] Request for TLS_SubjectAltNameDNS check
vartiait at open.com.au
Fri Oct 13 16:57:45 UTC 2017
> On 11 Oct 2017, at 20.28, Jan Tomasek <jan at tomasek.cz> wrote:
> Originally we were using hostnames, but as our eduroam federation was growing Radiator start was going to be slower and slower. Delay was indeterministic and was caused by hostname to IP translation, so we switched to IP addresses. But IP addresses are complicating peer verification. At this moment we are using TLS_ExpectedPeerName but our peers sometimes try to use a certificate which has no right SubjectDN, it would be better to be able to verify SubjectAltName:DNS. Is there any chance to get this implemented? Something like TLS_SubjectAltNameURI but for DNS?
Radiator currently supports SubjectAltName:DNS when it’s an initiator for RadSec connection.
I created a feature request for adding the support also for RadSec responder.
Tuure Vartiainen <vartiait at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
More information about the radiator