[RADIATOR] Request for TLS_SubjectAltNameDNS check

Jan Tomasek jan at tomasek.cz
Tue Oct 31 14:34:57 UTC 2017


Hi Tuure,

On 10/13/2017 06:57 PM, Tuure Vartiainen wrote:
>> On 11 Oct 2017, at 20.28, Jan Tomasek <jan at tomasek.cz> wrote:
>>
>> Originally we were using hostnames, but as our eduroam federation
>> was growing Radiator start was going to be slower and slower. Delay
>> was indeterministic and was caused by hostname to IP translation,
>> so we switched to IP addresses.  But IP addresses are complicating
>> peer verification. At this moment we are using TLS_ExpectedPeerName
>> but our peers sometimes try to use a certificate which has no right
>> SubjectDN, it would be better to be able to verify
>> SubjectAltName:DNS. Is there any chance to get this implemented?
>> Something like TLS_SubjectAltNameURI but for DNS?
>>
>
> Radiator currently supports SubjectAltName:DNS when it’s an initiator
> for RadSec connection.

how to configure this? My problem is that I need to initiate RadSec 
connection by IP adress this way:

<Handler RecvFromAddress=/^(?!195.113.xx.x$)/o, Realm=vsup.cz>
   Identifier            vsup_cz
   <AuthBy RADSEC>
     Host                195.113.xx.x
     Secret              radsec

When I use HOST = IPaddress I've no option how to tell Radiator which 
value compare against SubjectAltName:DNS.

Thanks
-- 
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/


More information about the radiator mailing list