diff options
| author | Eivind Næss <eivnaes@yahoo.com> | 2021-03-14 16:17:41 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-15 10:17:41 +1100 |
| commit | b2a4275ba78b07a4e47dcefb8c9bf2fd8456184a (patch) | |
| tree | 23d800bed91e2c187a91d289dfe054bfc3ed55b5 /pppd/auth.c | |
| parent | 24d80561dc54f67053a35b7c6a5c414f727e64d8 (diff) | |
| download | ppp-b2a4275ba78b07a4e47dcefb8c9bf2fd8456184a.tar.gz | |
pppd: EAP-TLS: Verify Subject or CommonName by suffix (#261)
This feature matches closely what OpenVPN and the network-manager-openvpn plugin do for
certificate verification. It allows the end user to configure the certificate to be matched by
its common name (entire string), its subject name, or the suffix of a subject name.
The latter is especially useful if you are trying to match against a random server in a RADIUS
pool. Lastly, it also allows you to turn off the certificate matching altogether.
tls-verify-method can have the following parameter values:
- none
- subject - The entire subject, e.g. /CN=some.server.org
- name - The entire common name, e.g. some.server.org
- suffix - The latter part of a name, e.g. servers.org
Secondly, it also introduces a new parameter 'tls-verify-key-usage' which permits checking
of the 'server' or 'client' side attributes of nsCertType and X509 extended key attributes.
For example, in client mode, it will verify that received certificate has the 'server' side
attributes enabled.
Signed-off-by: Eivind Naess <eivnaes@yahoo.com>
Diffstat (limited to 'pppd/auth.c')
| -rw-r--r-- | pppd/auth.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/pppd/auth.c b/pppd/auth.c index b1271c4..6ccdbf8 100644 --- a/pppd/auth.c +++ b/pppd/auth.c @@ -258,6 +258,8 @@ char *privkey_file = NULL; /* client private key file (pem format) */ char *crl_dir = NULL; /* directory containing CRL files */ char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */ char *max_tls_version = NULL; /* Maximum TLS protocol version (default=1.2) */ +char *tls_verify_method = NULL; +bool tls_verify_key_usage = 0; bool need_peer_eap = 0; /* Require peer to authenticate us */ #endif @@ -445,6 +447,10 @@ option_t auth_options[] = { { "crl", o_string, &crl_file, "Use specific CRL file" }, { "max-tls-version", o_string, &max_tls_version, "Maximum TLS version (1.0/1.1/1.2 (default)/1.3)" }, + { "tls-verify-key-usage", o_bool, &tls_verify_key_usage, + "Verify certificate type and extended key usage" }, + { "tls-verify-method", o_string, &tls_verify_method, + "Verify peer by method (none|subject|name|suffix)" }, { "need-peer-eap", o_bool, &need_peer_eap, "Require the peer to authenticate us", 1 }, #endif /* USE_EAPTLS */ |