Uploaded image for project: 'radsecproxy'
  1. radsecproxy
  2. RADSECPROXY-43

Radsecproxy is mixing up pre- and post-TLS-handshake client verification

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: radsecproxy-1.6.2
    • Component/s: code
    • Labels:
      None

      Description

      Config:

          client wontmatch {
              host 0.0.0.0
              type tls
              tls demoCA
              certificatenamecheck off
              matchCertificateAttribute CN:/^nonexistent$/
          }
          client demo {
              host 0.0.0.0
              type tls
              tls someotherCA
              certificatenamecheck off
              matchCertificateAttribute CN:/^cli.*$/
          }

      Given the above configuration, a client presenting a demoCA cert with
      CN=cli1 will be accepted. This is incorrect.

      The reason is that the CA specified in the first matching client block
      is the one being used for cert chain verification and once that's
      done, verification based on certificate _contents_ is being performed
      without regarding any other CA constraints in other client blocks.

      The propsed fix for this is to stop considering client blocks with a
      CA config (the 'tls' option) not identical to the first matching
      client block.

      This may make Radsecproxy reject clients that are currently
      (erroneously) being accepted. The proposed solution for scenarios
      which can no longer be realised by a single Radsecproxy instance is,
      for now, to run multiple instances on separate addresses or ports.

        Attachments

          Activity

            People

            • Assignee:
              linus Linus Nordberg
              Reporter:
              linus Linus Nordberg
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: