Project

General

Profile

Bug #11054

Check Client Certificate CN not working as described

Added by Anonymous 5 months ago. Updated 2 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Viktor Gurov
Category:
FreeRADIUS
Target version:
-
Start date:
11/11/2020
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.5-p1
Affected Architecture:
All

Description

Page: Services / FreeRADIUS
Tab: EAP
Section: EAP-TLS
Option: Check Client Certificate CN

Actual result when enabled:

A user attempting TLS authentication with a certificate signed by the configured CA, and with a common name matching the user-provided identity, passes authentication even if that common name/identity is not a valid user configured under FreeRADIUS / Users. This option only seems to ensure the common name of the client certificate matches the user-provided identity.

Expected result when enabled:

A user attempting TLS authentication does not pass authentication unless the client certificate's common name is equal to the user-provided identity AND is a configured user under FreeRADIUS / Users, as alluded to by the description.

History

#1 Updated by Viktor Gurov 3 months ago

see http://freeradius.1045715.n5.nabble.com/user-name-and-EAP-TLS-td5714550.html:

> On Sat, Aug 04, 2012 at 11:10:38AM +0200, Klaus Klein wrote:
>> Therefore I'm a bit puzzled that if no matching entry in users
>> is found that the authentication still takes place.
>

authorize {
        files
        if (notfound || noop) {
                reject
        }
}

#3 Updated by Renato Botelho 3 months ago

  • Status changed from New to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

#4 Updated by Viktor Gurov 2 months ago

more fixes:
- Fixes SQL backend user existing check;
- Fixes counters issue (`$varsqlconfauthcounters` lines)
https://forum.netgate.com/topic/160323/freeradius-latest-package-upgrade/2:

(6) exec: Executing: /bin/sh /usr/local/etc/raddb/scripts/datacounter_auth.sh raduser1 daily:
(6) exec: ERROR: Program returned code (99) and output ''
(6) exec: ERROR: Program returned invalid code (greater than max rcode) (99 > 9)

https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/38

#5 Updated by Jim Pingle 2 months ago

  • Status changed from Feedback to Pull Request Review

#6 Updated by Renato Botelho 2 months ago

  • Status changed from Pull Request Review to Feedback

PR has been merged. Thanks!

Also available in: Atom PDF