Currently AcceptServerName is always false which does not validate the server's name against ServerNames (which is already set). If a public CA is configured, an attacker could simply obtain a certificate obtained by the same CA and spoof the RADIUS server. The client would trust this server since it only validates that the certificate was issued by an allowed CA, NOT the server name.
This PR changes AcceptServerName to be true when at least one server name is given.
Currently
AcceptServerName
is alwaysfalse
which does not validate the server's name againstServerNames
(which is already set). If a public CA is configured, an attacker could simply obtain a certificate obtained by the same CA and spoof the RADIUS server. The client would trust this server since it only validates that the certificate was issued by an allowed CA, NOT the server name.This PR changes
AcceptServerName
to betrue
when at least one server name is given.https://learn.microsoft.com/en-us/windows/win32/eaphost/eaptlsconnectionpropertiesv1schema-tlsextensionstype-peapextensionstype-element