EAP-TLS patch for pppd

About EAP-TLS

The Extensible Authentication Protocol (EAP; RFC 3748) is a security protocol that can be used with PPP. It provides a means to plug in multiple optional authentication methods.

Transport Level Security (TLS; TLSv1.3 RFC 8446 and TLSv1.2 RFC 5246) provides for mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. It also provides for optional MPPE encryption.

EAP-TLS (RFC 5216 obsoleting RFC2716) encapsulates the TLS messages in EAP packets, allowing TLS mutual authentication to be used as a generic EAP mechanism.

Why was it written?

This patch was written to use pppd in a VPN with either PPTP or IPSec/L2TP and to allow Windows users to authenticate using smartcards with certificates.

Especially for PPTP VPNs the support of EAP-TLS+MPPE is very important, as it allows for the use of X.509 certificates to authenticate users. This greatly improves security (one might say it actually adds a little security), as the security of the PPTP model is as good as the password/certificate length.

Latest release

Note
As of November 2020, this patch has been merged into the mainline pppd code at https://github.com/paulusmack/ppp.
For existing releases of pppd up to version 2.4.8 this patch is still available:

The latest version of this patch with experimental TLSv1.3 support is v1.301, released on 28-May-2020.

The latest version of this patch with TLSv1.2 support is v1.202, released on 28-May-2020.

Features

• Allow EAP-TLS authentication in pppd
• Both client and server mode supported
• MPPE encryption support (mostly needed for PPTP VPNs)
• CRL handling
• Can be compiled against OpenSSL 1.0.0, 1.0.1+ and 1.1+
• up to version 0.91: CRL automatic updating
• new in version 0.95: OpenSSL engine support (tested only with a PKCS11 engine)
• new in version 1.102: TLSv1.2 support (if OpenSSL library supports it)
• new in version 1.300: experimental TLSv1.3 support (if OpenSSL library supports it)

Notes