pppd: EAP-TLS: Verify Subject or CommonName by suffix (#261)
This feature matches closely what OpenVPN and the network-manager-openvpn plugin do for
certificate verification. It allows the end user to configure the certificate to be matched by
its common name (entire string), its subject name, or the suffix of a subject name.
The latter is especially useful if you are trying to match against a random server in a RADIUS
pool. Lastly, it also allows you to turn off the certificate matching altogether.
tls-verify-method can have the following parameter values:
- none
- subject - The entire subject, e.g. /CN=some.server.org
- name - The entire common name, e.g. some.server.org
- suffix - The latter part of a name, e.g. servers.org
Secondly, it also introduces a new parameter 'tls-verify-key-usage' which permits checking
of the 'server' or 'client' side attributes of nsCertType and X509 extended key attributes.
For example, in client mode, it will verify that received certificate has the 'server' side
attributes enabled.