Project

General

Profile

Actions

Bug #11054

open

Check Client Certificate CN not working as described

Added by Anonymous about 1 year ago. Updated 10 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
FreeRADIUS
Target version:
-
Start date:
11/11/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.4.5-p1
Affected Plus Version:
Affected Architecture:
All

Description

Page: Services / FreeRADIUS
Tab: EAP
Section: EAP-TLS
Option: Check Client Certificate CN

Actual result when enabled:

A user attempting TLS authentication with a certificate signed by the configured CA, and with a common name matching the user-provided identity, passes authentication even if that common name/identity is not a valid user configured under FreeRADIUS / Users. This option only seems to ensure the common name of the client certificate matches the user-provided identity.

Expected result when enabled:

A user attempting TLS authentication does not pass authentication unless the client certificate's common name is equal to the user-provided identity AND is a configured user under FreeRADIUS / Users, as alluded to by the description.

Actions #1

Updated by Viktor Gurov 10 months ago

see http://freeradius.1045715.n5.nabble.com/user-name-and-EAP-TLS-td5714550.html:

> On Sat, Aug 04, 2012 at 11:10:38AM +0200, Klaus Klein wrote:
>> Therefore I'm a bit puzzled that if no matching entry in users
>> is found that the authentication still takes place.
>

authorize {
        files
        if (notfound || noop) {
                reject
        }
}

Actions #3

Updated by Renato Botelho 10 months ago

  • Status changed from New to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions #4

Updated by Viktor Gurov 10 months ago

more fixes:
- Fixes SQL backend user existing check;
- Fixes counters issue (`$varsqlconfauthcounters` lines)
https://forum.netgate.com/topic/160323/freeradius-latest-package-upgrade/2:

(6) exec: Executing: /bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh raduser1 daily:
(6) exec: ERROR: Program returned code (99) and output ''
(6) exec: ERROR: Program returned invalid code (greater than max rcode) (99 > 9)

https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/38

Actions #5

Updated by Jim Pingle 10 months ago

  • Status changed from Feedback to Pull Request Review
Actions #6

Updated by Renato Botelho 10 months ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Actions

Also available in: Atom PDF