http://javadoc.iaik.tugraz.at/iaik_jce/current/iaik/x509/extensions/ExtendedKeyUsage.html The following extended key usage purposes are defined by RFC 3280:
serverAuth (1.3.6.1.5.5.7.3.1) — TLS Web server authentication <= notre certificat
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1 <= ce que demande MS
https://msdn.microsoft.com/en-us/library/cc731363.aspx
http://wiki.cacert.org/FAQ/subjectAltName :
According to the standards commonName will be ignored if you supply a subjectAltName in the certificates, verified to be working in both the latest version of MS IE and Firefox (as of 2005/05/12)...
https://code.google.com/p/android/issues/detail?id=37178 :
In general, this value is set to the DNS name of the RADIUS server presenting the certificate to the end device supplicant. Matching is usually done with a static, or wildcard version of the address. (Such as radius.foo.com, or *.foo.com)
Having this setting available is critical for situations where commercial CA certificates are used with the authentication. When doing SSL/TLS over IP, a client can easily resolve the DNS name of the server and match that to the certificate to be sure that the device presenting the certificate has the same DNS name as the value set in the certificate. With 802.1X authentications the client doesn't have IP connectivity, so the only way to validate this is for the user to tell the supplicant what value is expected.
Eduroam:
http://wiki.freeradius.org/guide/Certificate-Compatibility :
Windows does not support wildcard certificates
Alexandre L., [20.10.15 20:18]
Tue Oct 20 20:16:41 2015 : Error: TLS Alert read:fatal:access denied
Tue Oct 20 20:16:41 2015 : Auth: Login incorrect (TLS Alert read:fatal:access denied): [hcognet/<via Auth-Type = EAP>] (from client borneswifi-brest port 0 cli 60-36-DD-87-AC-A3)
Hervé C., [20.10.15 20:21]
et là ?
Alexandre L., [20.10.15 20:22]
http://lists.freeradius.org/pipermail/freeradius-users/2007-April/017460.html / http://lists.freeradius.org/pipermail/freeradius-users/2007-April/017461.html / http://www.linuxjournal.com/article/8095
Alexandre L., [20.10.15 20:22]
Tue Oct 20 20:21:07 2015 : Error: TLS Alert read:fatal:access denied
Tue Oct 20 20:21:07 2015 : Auth: Login incorrect (TLS Alert read:fatal:access denied): [hcognet/<via Auth-Type = EAP>] (from client borneswifi-brest port 0 cli 60-36-DD-87-AC-A3)
T
Hervé C., [20.10.15 20:23]
du vient d'avoir un success je penses ! 😉
Alexandre L., [20.10.15 20:24]
Tue Oct 20 20:22:48 2015 : Auth: Login OK: [hcognet] (from client borneswifi-brest port 0 via TLS tunnel)
Tue Oct 20 20:22:48 2015 : Auth: Login OK: [hcognet] (from client borneswifi-brest port 0 cli 60-36-DD-87-AC-A3)
Subject: C=FR, ST=Bretagne, L=Brest, O=\x00A\x00s\x00s\x00o\x00c\x00i\x00a\x00t\x00i\x00o\x00n\x00 \x1D\x00R\x00E\x00S\x00E\x00L \x1D, CN=*.resel.fr/emailAddress=webmaster@resel.fr
DNS:*.resel.fr, DNS:resel.fr, DNS:asso.resel.fr, DNS:club.resel.fr, DNS:clubs.resel.fr, DNS:campagne.resel.fr, DNS:resel.eu, DNS:resel.org, DNS:*.resel.org, DNS:*.resel.eu, DNS:*.asso.resel.fr, DNS:*.club.resel.fr, DNS:*.clubs.resel.fr, DNS:*.campagne.resel.fr, DNS:admin.resel.fr, DNS:*.admin.resel.fr, DNS:dev.resel.fr, DNS:*.dev.resel.fr, DNS:rennes.resel.fr, DNS:brest.resel.fr, DNS:nantes.resel.fr, DNS:*.rennes.resel.fr, DNS:*.brest.resel.fr, DNS:*.nantes.resel.fr, DNS:services.resel.fr, DNS:*.services.resel.fr
Alexandre L., [20.10.15 21:28]
— Subject: ... CN=*.resel.fr/emailAddress=webmaster@resel.fr
— X509v3 Subject Alternative Name:
DNS:*.resel.fr, DNS:resel.fr, DNS:asso.resel.fr, DNS:club.resel.fr, DNS:clubs.resel.fr, DNS:campagne.resel.fr, DNS:resel.eu, DNS:resel.org, DNS:*.resel.org, DNS:*.resel.eu, DNS:*.asso.resel.fr, DNS:*.club.resel.fr, DNS:*.clubs.resel.fr, DNS:*.campagne.resel.fr, DNS:admin.resel.fr, DNS:*.admin.resel.fr, DNS:dev.resel.fr, DNS:*.dev.resel.fr, DNS:rennes.resel.fr, DNS:brest.resel.fr, DNS:nantes.resel.fr, DNS:*.rennes.resel.fr, DNS:*.brest.resel.fr, DNS:*.nantes.resel.fr, DNS:services.resel.fr, DNS:*.services.resel.fr
Alexandre L., [20.10.15 21:30]
Subject: OU=Domain Control Validated, CN=radius.telecom-bretagne.eu
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Alexandre L., [20.10.15 20:18]
Tue Oct 20 20:16:41 2015 : Error: TLS Alert read:fatal:access denied
Tue Oct 20 20:16:41 2015 : Auth: Login incorrect (TLS Alert read:fatal:access denied): [hcognet/<via Auth-Type = EAP>] (from client borneswifi-brest port 0 cli 60-36-DD-87-AC-A3)
Alexandre L., [20.10.15 20:22]
Tue Oct 20 20:21:07 2015 : Error: TLS Alert read:fatal:access denied
Tue Oct 20 20:21:07 2015 : Auth: Login incorrect (TLS Alert read:fatal:access denied): [hcognet/<via Auth-Type = EAP>] (from client borneswifi-brest port 0 cli 60-36-DD-87-AC-A3)
Alexandre L., [20.10.15 20:24]
Tue Oct 20 20:22:48 2015 : Auth: Login OK: [hcognet] (from client borneswifi-brest port 0 via TLS tunnel)
Tue Oct 20 20:22:48 2015 : Auth: Login OK: [hcognet] (from client borneswifi-brest port 0 cli 60-36-DD-87-AC-A3)
"With 802.1X authentications the client doesn't
have IP connectivity, so the only way to validate this is for the user to tell the supplicant what value is expected."
TODO
Last edited by Loïc CARR, 2016-11-12 16:31:35