12:56 a.m.
Hi Linus ,
Thanks a-lot for your reply. I retried it after setting `certificateNameCheck off' in
Server block. However, it is still using mutual authentication (I am copying the packet
transfer between Client and Server below). The main difference which I could see was that
now it can establish TLS connection with non-matching CN name also.
To turn off mutual authentication i.e. Server should not ask for Client certificate in
Server Hello message. Is there any way to disable "SSL_VERIFY_PEER" in Server
code ?
Source Destination Protocol Info
192.168.1.100 192.168.1.2 TLSv1.2 Client Hello
192.168.1.2 192.168.1.100 TLSv1.2 Server Hello
192.168.1.2 192.168.1.100 TLSv1.2 Certificate <======= Server
Certificate
192.168.1.100 192.168.1.2 TLSv1.2 Certificate <======= Client
Certificate
192.168.1.2 192.168.1.100 TLSv1.2 New Session Ticket, Change Cipher
Spec, Encrypted Handshake Message
Regards,
Mofassir
On Wednesday, 5 October 2016 7:58 PM, Linus Nordberg <linus(a)nordu.net> wrote:
Mofassir Ul Haque <mofassir_haque(a)yahoo.com> wrote
Wed, 5 Oct 2016 00:19:55 +0000 (UTC):
Currently, radsecproxy supports mutual authentication
by default
i.e. both the Client and the Server certificate are validated at the
time of TLS connection establishment. However, I want to only validate
Server’s certificate. Is it possible to make changes to TLS Block
(radsecproxy.conf) or to code to only do the validation of Server
certificate's ? Any help will be greatly appreciated ! Thanks,
You can set `certificateNameCheck off' in a server block to disable
verification of client CN and SAN.