3.10.35. EAPTLS_CertificateVerifyHook Previous topic Parent topic Child topic Next topic

For EAP-TLS authentication, this optional parameter specifies a Perl function that is called after the request user name or identity has been matched with the certificate CN. It passes the certificate and various other details, and returns a different user name which is used to do the user database lookup.
The function is passed the following arguments:
  • $_[0]: $matchedcn, the CN that matched the user name or identity with or without the domain name. $matchedcn is the CN in the certificate that was matched against either the user name or EAP identity. It is normally used as the user name to do the user database lookup, but you can return a new name from this function.
  • $_[1]: $x509_store_ctx, the EAP SSLEAY store context (you can pass this to Net::SSLeay::X509_STORE_CTX_get_current_cert)
  • $_[2]: $cert, the current certificate, result of Net::SSLeay::X509_STORE_CTX- _get_current_cert($x509_store_ctx)
  • $_[3]: $subject_name, the certificates subject name, result of &Net::SSLeay::X509_get_subject_name($cert)
  • $_[4]: $subject, the certificate subject, result of &Net::SSLeay::X509_NAME_oneline($subject_name)
  • $_[5]: $p, the current Radius::Radius request
The function is expected to return a new value for $matchedcn, which is used to do the user database lookup. If it returns undef, the certificate verification is deemed to fail with the OpenSSL error X509_V_ERR_APPLICATION_VERIFICATION.