Hi Linus ,
Thanks a-lot for your reply. I retried it after setting `certificateNameCheck off' in Server block. However, it is still using mutual authentication (I am copying the packet transfer between Client and Server below). The main difference which I could see was that now it can establish TLS connection with non-matching CN name also.
To turn off mutual authentication i.e. Server should not ask for Client certificate in Server Hello message. Is there any way to disable "SSL_VERIFY_PEER" in Server code ?
Source Destination Protocol Info 192.168.1.100 192.168.1.2 TLSv1.2 Client Hello 192.168.1.2 192.168.1.100 TLSv1.2 Server Hello 192.168.1.2 192.168.1.100 TLSv1.2 Certificate <======= Server Certificate 192.168.1.100 192.168.1.2 TLSv1.2 Certificate <======= Client Certificate 192.168.1.2 192.168.1.100 TLSv1.2 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
Regards, Mofassir
On Wednesday, 5 October 2016 7:58 PM, Linus Nordberg linus@nordu.net wrote:
Mofassir Ul Haque mofassir_haque@yahoo.com wrote Wed, 5 Oct 2016 00:19:55 +0000 (UTC):
Currently, radsecproxy supports mutual authentication by default i.e. both the Client and the Server certificate are validated at the time of TLS connection establishment. However, I want to only validate Server’s certificate. Is it possible to make changes to TLS Block (radsecproxy.conf) or to code to only do the validation of Server certificate's ? Any help will be greatly appreciated ! Thanks,
You can set `certificateNameCheck off' in a server block to disable verification of client CN and SAN.