diff options
author | Eivind Næss <eivnaes@yahoo.com> | 2021-03-14 16:17:41 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-03-15 10:17:41 +1100 |
commit | b2a4275ba78b07a4e47dcefb8c9bf2fd8456184a (patch) | |
tree | 23d800bed91e2c187a91d289dfe054bfc3ed55b5 /README.eap-tls | |
parent | 24d80561dc54f67053a35b7c6a5c414f727e64d8 (diff) | |
download | ppp-b2a4275ba78b07a4e47dcefb8c9bf2fd8456184a.tar.gz |
pppd: EAP-TLS: Verify Subject or CommonName by suffix (#261)
This feature matches closely what OpenVPN and the network-manager-openvpn plugin do for
certificate verification. It allows the end user to configure the certificate to be matched by
its common name (entire string), its subject name, or the suffix of a subject name.
The latter is especially useful if you are trying to match against a random server in a RADIUS
pool. Lastly, it also allows you to turn off the certificate matching altogether.
tls-verify-method can have the following parameter values:
- none
- subject - The entire subject, e.g. /CN=some.server.org
- name - The entire common name, e.g. some.server.org
- suffix - The latter part of a name, e.g. servers.org
Secondly, it also introduces a new parameter 'tls-verify-key-usage' which permits checking
of the 'server' or 'client' side attributes of nsCertType and X509 extended key attributes.
For example, in client mode, it will verify that received certificate has the 'server' side
attributes enabled.
Signed-off-by: Eivind Naess <eivnaes@yahoo.com>
Diffstat (limited to 'README.eap-tls')
-rw-r--r-- | README.eap-tls | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/README.eap-tls b/README.eap-tls index ab3794e..bc1066e 100644 --- a/README.eap-tls +++ b/README.eap-tls @@ -126,7 +126,7 @@ EAP-TLS authentication support for PPP ca <ca-file> Use the CA public certificate found in <ca-file> in PEM format - ca-path <directory> + capath <directory> Use the directory <directory> as the CA public certificate directory cert <cert-file> Use the client public certificate found in <cert-file> in PEM format @@ -147,6 +147,9 @@ EAP-TLS authentication support for PPP max-tls-version <1.0|1.1|1.2 (default)|1.3> Specify the maximum TLS protocol version to negotiate with peers. Defaults to TLSv1.2 as the TLSv1.3 code is experimental. + verify-tls-peer <none|subject|name|suffix> + Compare the remotename against the subject, certificate name, or + match by suffix. Default is 'name'. Note: password-encrypted certificates can be used as of v0.94 of this |