Details
-
Bug
-
Resolution: Fixed
-
Critical
-
None
-
None
Description
Config:
client wontmatch {
host 0.0.0.0
type tls
tls demoCA
certificatenamecheck off
matchCertificateAttribute CN:/^nonexistent$/
}
client demo {
host 0.0.0.0
type tls
tls someotherCA
certificatenamecheck off
matchCertificateAttribute CN:/^cli.*$/
}
Given the above configuration, a client presenting a demoCA cert with
CN=cli1 will be accepted. This is incorrect.
The reason is that the CA specified in the first matching client block
is the one being used for cert chain verification and once that's
done, verification based on certificate _contents_ is being performed
without regarding any other CA constraints in other client blocks.
The propsed fix for this is to stop considering client blocks with a
CA config (the 'tls' option) not identical to the first matching
client block.
This may make Radsecproxy reject clients that are currently
(erroneously) being accepted. The proposed solution for scenarios
which can no longer be realised by a single Radsecproxy instance is,
for now, to run multiple instances on separate addresses or ports.
client wontmatch {
host 0.0.0.0
type tls
tls demoCA
certificatenamecheck off
matchCertificateAttribute CN:/^nonexistent$/
}
client demo {
host 0.0.0.0
type tls
tls someotherCA
certificatenamecheck off
matchCertificateAttribute CN:/^cli.*$/
}
Given the above configuration, a client presenting a demoCA cert with
CN=cli1 will be accepted. This is incorrect.
The reason is that the CA specified in the first matching client block
is the one being used for cert chain verification and once that's
done, verification based on certificate _contents_ is being performed
without regarding any other CA constraints in other client blocks.
The propsed fix for this is to stop considering client blocks with a
CA config (the 'tls' option) not identical to the first matching
client block.
This may make Radsecproxy reject clients that are currently
(erroneously) being accepted. The proposed solution for scenarios
which can no longer be realised by a single Radsecproxy instance is,
for now, to run multiple instances on separate addresses or ports.