[RADIATOR] Trust client certificates of a specific issuing CA

[Heikki Vatiainen]

On 21.4.2017 17.11, Philip Brusten wrote:

> OpenSSL added a new feature in 1.0.2 to accept a partial chain.
> 
> It can be set using this flag X509_V_FLAG_PARTIAL_CHAIN which you could 
> set using the Net::SSLeay::X509_STORE_set_flags
> 
> Perhaps you could make a EAPTLS-setting for this flag in Radiator?

Getting back to this: Patches have EAPTLS_CAPartialChain for TLS based 
EAP methods and TLS_CAPartialChain for Stream based modules, such as 
Diameter and RadSec.

Support for X509_V_FLAG_PARTIAL_CHAIN was added some time ago and it was 
just updated to include X509_V_FLAG_TRUSTED_FIRST too. The latter flag 
is on by default with OpenSSL 1.1.0 and based on the information we 
gathered, should be a good addition with 1.0.2 too. However, Radiator 
currently sets this flag only when partial chain flag is enabled.

To test, do something like this:
Add 'EAPTLS_CAPartialChain' configuration flag parameter to Radiator's 
EAP-TLS configuration. Also change CA file to something like this:
   EAPTLS_CAFile certificates/intermediate-CA-I1-crt.pem

Set eapol_test, or other test client, to use
   client_cert="certificates/client-I1-crt.pem"
   private_key="certificates/client-key.pem"
   private_key_password="whatever"

The above certificates come with patches. Radiator's test certificates 
were redone to include intermediate CAs, revoked and expired 
certificates and CAs and other useful features for testing. See 
certificates/README-demoCA.txt and certificates/README for the details.

If you have time to test this, please let us know how it goes.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.