diff options
author | Eivind Næss <eivnaes@yahoo.com> | 2021-03-14 16:17:41 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-03-15 10:17:41 +1100 |
commit | b2a4275ba78b07a4e47dcefb8c9bf2fd8456184a (patch) | |
tree | 23d800bed91e2c187a91d289dfe054bfc3ed55b5 /pppd/pppd.h | |
parent | 24d80561dc54f67053a35b7c6a5c414f727e64d8 (diff) | |
download | ppp-b2a4275ba78b07a4e47dcefb8c9bf2fd8456184a.tar.gz |
pppd: EAP-TLS: Verify Subject or CommonName by suffix (#261)
This feature matches closely what OpenVPN and the network-manager-openvpn plugin do for
certificate verification. It allows the end user to configure the certificate to be matched by
its common name (entire string), its subject name, or the suffix of a subject name.
The latter is especially useful if you are trying to match against a random server in a RADIUS
pool. Lastly, it also allows you to turn off the certificate matching altogether.
tls-verify-method can have the following parameter values:
- none
- subject - The entire subject, e.g. /CN=some.server.org
- name - The entire common name, e.g. some.server.org
- suffix - The latter part of a name, e.g. servers.org
Secondly, it also introduces a new parameter 'tls-verify-key-usage' which permits checking
of the 'server' or 'client' side attributes of nsCertType and X509 extended key attributes.
For example, in client mode, it will verify that received certificate has the 'server' side
attributes enabled.
Signed-off-by: Eivind Naess <eivnaes@yahoo.com>
Diffstat (limited to 'pppd/pppd.h')
-rw-r--r-- | pppd/pppd.h | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/pppd/pppd.h b/pppd/pppd.h index 612902f..05e8e37 100644 --- a/pppd/pppd.h +++ b/pppd/pppd.h @@ -336,9 +336,17 @@ extern bool dryrun; /* check everything, print options, exit */ extern int child_wait; /* # seconds to wait for children at end */ #ifdef USE_EAPTLS + +#define TLS_VERIFY_NONE "none" +#define TLS_VERIFY_NAME "name" +#define TLS_VERIFY_SUBJECT "subject" +#define TLS_VERIFY_SUFFIX "suffix" + extern char *crl_dir; extern char *crl_file; extern char *max_tls_version; +extern bool tls_verify_key_usage; +extern char *tls_verify_method; #endif /* USE_EAPTLS */ #ifdef MAXOCTETS |