Bug#1010159: debian-edu-config: setup-freeradius-server create freeradius-server.crt with subjectAltNames not set

[Mike Gabriel <mike.gabriel@das-netzwerkteam.de>]

Package: debian-edu-config
Version: 2.12.20
Severity: normal

The debian-edu-config ships a script to setup a freeRadius service on  
TJENER. This script uses a script from bin:pkg freeradius named  
/usr/share/doc/freeradius/examples/certs/bootstrap

Starting with Android 11 QPR1, we must provide certificates that have  
a valid "domain" set. For this domain, the CN of the  
freeradius-server.crt file gets used (or any other value in  
subjectAltnames.

During the bootstrap script execution a server.csr file gets created  
with proper subjectAltNames extension support, but this gets losted  
when CA signing this .csr file. The resulting .crt file won't have  
subjectAltnames support and commonName will also be set to "Debian Edu  
freeRADIUS Server Certificate".

I have now modified the openssl .cnf files in TJENER's  
/etc/freeradius/3.0/certs/ in this way:

```
diff --git a/freeradius/3.0/certs/server.cnf b/freeradius/3.0/certs/server.cnf
index 271ace9..3898944 100644
--- a/freeradius/3.0/certs/server.cnf
+++ b/freeradius/3.0/certs/server.cnf
@@ -51,7 +51,7 @@ stateOrProvinceName   = Radius
 localityName           = Somewhere
 organizationName       = Debian Edu
 emailAddress           = postmaster@postoffice.intern
-commonName             = "Debian Edu freeRADIUS Server Certificate"
+commonName             = freeradius.intern

 [ v3_req ]
 basicConstraints = CA:FALSE
```

```
diff --git a/freeradius/3.0/certs/xpextensions  
b/freeradius/3.0/certs/xpextensions
index 70d229c..2529a45 100644
--- a/freeradius/3.0/certs/xpextensions
+++ b/freeradius/3.0/certs/xpextensions
@@ -73,3 +73,15 @@ certificatePolicies     = 1.3.6.1.4.1.40808.1.3.2
 #  to generate these certs.
 #
 # 1.3.6.1.4.1.311.17.2
+
+subjectAltName = @alt_names
+
+#  This should be a host name of the RADIUS server.
+#  Note that the host name is exchanged in EAP *before*
+#  the user machine has network access.  So the host name
+#  here doesn't really have to match anything in DNS.
+[alt_names]
+DNS.1 = freeradius.intern
+
+# NAIRealm from RFC 7585
+otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.intern
```

When now recreating the server.key, server.csr and server.crt files  
they have the subjectAltNames extension support in the .crt file and  
the domain is set to "freeradius.intern

I still need to get customer feedback if the new certificates work as  
expected on recent Android 11 devices.

Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpaS4ITFngNv.pgp
Description: Digitale PGP-Signatur