3.11.18. TLS_ExpectedPeerName Previous topic Parent topic Child topic Next topic

When a TLS peer presents a certificate, this optional parameter specifies a regular expression pattern that is required to match the Subject in the peer certificate.
The default value for servers, such as ServerRADSEC, is .+ which means to accept any Subject.
Different configuration clauses have different defaults for certificate validation. See the documentation of the specific configuration clause, such as <AuthBy RADSEC>, for the details.
Here is an example of using TLS_ExpectedPeerName:
# Accept certificates with CN ending in .xyz.com
TLS_ExpectedPeerName CN=.*\.xyz\.com