[RADIATOR] Request for TLS_SubjectAltNameDNS check
jan at tomasek.cz
Tue Oct 31 14:34:57 UTC 2017
On 10/13/2017 06:57 PM, Tuure Vartiainen wrote:
>> On 11 Oct 2017, at 20.28, Jan Tomasek <jan at tomasek.cz> wrote:
>> Originally we were using hostnames, but as our eduroam federation
>> was growing Radiator start was going to be slower and slower. Delay
>> was indeterministic and was caused by hostname to IP translation,
>> so we switched to IP addresses. But IP addresses are complicating
>> peer verification. At this moment we are using TLS_ExpectedPeerName
>> but our peers sometimes try to use a certificate which has no right
>> SubjectDN, it would be better to be able to verify
>> SubjectAltName:DNS. Is there any chance to get this implemented?
>> Something like TLS_SubjectAltNameURI but for DNS?
> Radiator currently supports SubjectAltName:DNS when it’s an initiator
> for RadSec connection.
how to configure this? My problem is that I need to initiate RadSec
connection by IP adress this way:
<Handler RecvFromAddress=/^(?!195.113.xx.x$)/o, Realm=vsup.cz>
When I use HOST = IPaddress I've no option how to tell Radiator which
value compare against SubjectAltName:DNS.
Jan Tomasek aka Semik
More information about the radiator