libradsec 0.0.4 adds support for certificate checking:
* Verifies that the certificate chains back to a configured CA
* verifies that the certificate is issued to the appropriate hostname
These checks cannot be disabled.
In particular, something in the certificate must match the hostname
supplied. The check is fairly broad; looks for DNS
subjectAlternativeNames as well as IP address and falls back to CN
checking.
I'm finding it horribly inconvenient for the next live DVD.
Freeradius generates a certificate with completely bogus subject
information.
I could write a script to generate our own certs, although it's not
entirely clear what to put there.
I guess we could put 127.0.0.1 as an IP address SAN.
However, if that CA is only going to be used for radius server in the
realm in question, it may be desirable to ignore the hostname check.
Also, if there are multiple servers for a realm, do we expect their
certificates to be different?
Or do we expect the servers to have the same cert?
If so, is matching based on hostname in radsec.conf the right approach?
So, in addition to general comments, I'd appreciate input on the
following:
* Are there any situations where we don't want to do certificate
chaining? (I'm assuming no; for self-signed you can use the cert as a
CA)
* Do we want to be able to disable the hostname check?
* What configuration parameters do we want for cert checking?
|