EAPTLS_CertificateVerifyFailedHook
specifies a Perl function that is called if the certificate cannot be
verified. It is an optional parameter and is used with EAP-TLS
authentication. It is passed the certificate (if present), and various
other details.
The peer certificate $cert is
not always present. An example of such case is a policy OID mismatch
.
EAPTLS_CertificateVerifyFailedHook is passed
the following arguments:
$_[0]: $verify_errorThis is the EAP SSLEAY
store context verification code.
$_[1]: $x509_store_ctxThis is the EAP
SSLEAY store context.
$_[2]: $certThis is the current
certificate. May be undefined.
$_[3]: $subject_nameThis is the
certificate's subject name. Undefined when $cert
is undefined.
$_[4]: $subjectThis is the certificate
subject. Undefined when $cert is
undefined.
$_[5]: $pThis is the current
Radius::Radius request.
EAPTLS_CertificateVerifyFailedHook must
return a single value. This value is used as an OpenSSL error code to set
the verify result code as follows:
- > 0: Non-zero error code
This is a new verification result
code.
- 0
This changes verification failure to verification
success.
- < 0
The verification process is immediately stopped with
"verification failed" state.
- Undefined
This is handled as an OpenSSL error
X509_V_ERR_APPLICATION_VERIFICATION.
Here is a example of using
EAPTLS_CertificateVerifyFailedHook. This
configuration accepts all certificates. Any additional authorisation must
be done later.
EAPTLS_CertificateVerifyFailedHook sub { return 0; }
The
following example allows expired certificates.
10 is
X509_V_ERR_CERT_HAS_EXPIRED.
EAPTLS_CertificateVerifyFailedHook sub { \
if ($_[0] == 10) { return 0; } else { return $_[0]; } }
Note
This
parameter may cause security issues if not used properly. Use it only in
special cases.
