如何强制 freeradius 检查证书有效性?

如何强制 freeradius 检查证书有效性?

我正在尝试在我的 Debian 9 机器上安装 freeradius 服务器。我成功地用 apt 安装了它。我还成功运行它并接受用户和密码,如果您没有提供良好的用户和密码,则拒绝连接。

但我需要实现证书验证。我遵循了官方文档https://wiki.freeradius.org/guide/WPA%20HOWTO

cd /etc/freeradius/3.0/certs/
make

它生成了一些证书,我已经更改了 /etc/freeradius/3.0/mods-enabled/eap

tls-config tls-common {
            private_key_password = whatever
            private_key_file = /etc/freeradius/3.0/certs/server.key

            #  If Private key & Certificate are located in
            #  the same file, then private_key_file &
            #  certificate_file must contain the same file
            #  name.
            #

#  If ca_file (below) is not used, then the
            #  certificate_file below MUST include not
            #  only the server certificate, but ALSO all
            #  of the CA certificates used to sign the
            #  server certificate.
            certificate_file = /etc/freeradius/3.0/certs/server.pem

            #  Trusted Root CA list
            #
            #  ALL of the CA's in this list will be trusted
            #  to issue client certificates for authentication.
            #
            #  In general, you should use self-signed
            #  certificates for 802.1x (EAP) authentication.
            #  In that case, this CA file should contain
            #  *one* CA certificate.
            #
            ca_file = /etc/freeradius/3.0/certs/ca.pem

然后我按照官方文档中提到的配置了用户文件和client.conf。我在客户端安装了ca.pem,如图所示。

配置示例

现在:

  • 如果客户端提供虚假证书,则连接被拒绝
  • 如果客户端提供有效的证书,则连接被接受
  • 但如果客户端没有提供证书,连接也会公认

我想配置 freeradius 在客户端没有提供有效证书时拒绝连接

我也尝试过在 mods-enabled/eap 中取消注释

#       require_client_cert = yes

但是 freeradius 不再接受连接。

这是我尝试使用此参数时得到的日志

(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: TLS_accept: SSLv3/TLS write server done
(5) eap_ttls: <<< recv TLS 1.2  [length 0007] 
(5) eap_ttls: >>> send TLS 1.2  [length 0002] 
(5) eap_ttls: ERROR: TLS Alert write:fatal:handshake failure
tls: TLS_accept: Error in error
(5) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C0C7:SSL                 routines:tls_process_client_certificate:peer did not return a certificate
(5) eap_ttls: ERROR: System call (I/O) error (-1)
(5) eap_ttls: ERROR: TLS receive handshake failed during operation
(5) eap_ttls: ERROR: [eaptls process] = fail
(5) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 5 length 4
(5) eap: Failed in EAP select
(5)     [eap] = invalid
(5)   } # authenticate = invalid
(5) Failed to authenticate the user

所以我的问题是:如何强制 freeradius 检查证书是否存在以及是否是好的证书?

我已经尝试了好几天。所以如果有人已经安装了 freeradius 服务器并且愿意帮助我那就太好了。

谢谢

答案1

是的,我找到了等待

我必须启用验证协议

然后你必须给出Ca 证书用户证书

Ca 证书仅用于保护连接,不用于识别。事实上,客户端可能没有 CA 证书,但它仍然可以工作。

这时用户证书可以提供帮助。您可以使用它来识别用户。

在文件中

mods-enabled/eap

你可以实现自定义验证。因此你可以实现自己的脚本。你可以使用

%{TLS-Client-Cert-Filename}

变量来获取用户证书。

然后你把它交给你的脚本,自己做验证。你可以使用:

openssl verify 

做这个或者其他任何事情。我的脚本是:

/etc/freeradius/3.0/scripts/log.sh

成功时退出 0失败时退出 1.从而允许或拒绝用户访问。

以下是我的 mods-enabled/eap 配置文件,供有需要的人参考

verify {
                    #  If the OCSP checks succeed, the verify section
                    #  is run to allow additional checks.
                    #
                    #  If you want to skip verify on OCSP success,
                    #  uncomment this configuration item, and set it
                    #  to "yes".
                    #skip_if_ocsp_ok = no

                    #  A temporary directory where the client
                    #  certificates are stored.  This directory
                    #  MUST be owned by the UID of the server,
                    #  and MUST not be accessible by any other
                    #  users.  When the server starts, it will do
                    #  "chmod go-rwx" on the directory, for
                    #  security reasons.  The directory MUST
                    #  exist when the server starts.
                    #
                    #  You should also delete all of the files
                    #  in the directory when the server starts.
                    tmpdir = /tmp/radiusd

                    #  The command used to verify the client cert.
                    #  We recommend using the OpenSSL command-line
                    #  tool.
                    #
                    #  The ${..ca_path} text is a reference to
                    #  the ca_path variable defined above.
                    #
                    #  The %{TLS-Client-Cert-Filename} is the name
                    #  of the temporary file containing the cert
                    #  in PEM format.  This file is automatically
                    #  deleted by the server when the command
                    #  returns.
                    client = "/bin/bash /etc/freeradius/3.0/scripts/log.sh %{TLS-Client-Cert-Filename} %{Client-IP-Address}"
            }

客户端部分是最重要的部分。

相关内容