How to check values of TLS-Client-Cert-X509v3-Extended-Key-Usage-OID attribute ?

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

How to check values of TLS-Client-Cert-X509v3-Extended-Key-Usage-OID attribute ?

Arnaud LAURIOU
Hi,

I would like to check the values of the
TLS-Client-Cert-X509v3-Extended-Key-Usage-OID
attribute contained in a client's certificate when establishing an
incoming RadSec
connection on a proxy server.

If those values match known strings then process the request else close
the RadSec
connection.

How can I do that with FR 3.0.21 ?

Regards,

Arnaud Lauriou
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to check values of TLS-Client-Cert-X509v3-Extended-Key-Usage-OID attribute ?

Alan DeKok-2
On Mar 24, 2021, at 5:36 AM, Arnaud LAURIOU <[hidden email]> wrote:
> I would like to check the values of the TLS-Client-Cert-X509v3-Extended-Key-Usage-OID
> attribute contained in a client's certificate when establishing an incoming RadSec
> connection on a proxy server.
>
> If those values match known strings then process the request else close the RadSec
> connection.
>
> How can I do that with FR 3.0.21 ?

  Read the debug output.  It prints out which TLS-Clinet-Cert attributes are available, where they go, and what their values are.

  But... the main issue is that the server doesn't support applying policies to the incoming socket.  See src/main/tls_listen.c:

                /*
                 * FIXME: Run the request through a virtual
                 * server in order to see if we like the
                 * certificate presented by the client.
                 */

  :(

  The real solution is to rely on the TLS framework.  If you don't like a certificate, then revoke it.

  What are the circumstances where you don't control the cert issue, but do want to check the various cert fields?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to check values of TLS-Client-Cert-X509v3-Extended-Key-Usage-OID attribute ?

Arnaud LAURIOU


On 3/24/21 12:32 PM, Alan DeKok wrote:
>    Read the debug output.  It prints out which TLS-Clinet-Cert attributes are available, where they go, and what their values are.
Yes, and in fact there is a misunderstanding on my side : I am looking
for X509v3 Certificate Policies,
which are not in the debug output and therefore not in the
TLS-Client-Cert-X509v3-Extended-Key-Usage-OID
attribute.

I understand that I can check them with the external 'openssl verify'
command, I will try that.

Regards,

Arnaud Lauriou
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html