Support for SSL_MODE_NO_AUTO_CHAIN
Chenggang Tang (chentang)
chentang at cisco.com
Wed Oct 21 06:47:17 CEST 2015
Hi Jorge,
Thanks for your suggestion!
And thank Alan DeKok for the fix
https://github.com/FreeRADIUS/freeradius-server/commit/e60a9543a03152b77a5cdb15f681726564537482
So now this problem is fixed.
--
Best Regards,
Chenggang Tang | 汤承刚
On 10/20/15, 21:00, "Freeradius-Devel on behalf of Jorge Pereira" <freeradius-devel-bounces+chentang=cisco.com at lists.freeradius.org on behalf of jpereiran at gmail.com> wrote:
>Hi Chenggang,
>
>I believe that would be better to send your request through the Github
>https://github.com/FreeRADIUS/freeradius-server/pulls
>
>--
>Jorge Pereira
>
>On Tue, Oct 20, 2015 at 4:53 AM, Chenggang Tang (chentang) <
>chentang at cisco.com> wrote:
>
>> Hi all,
>>
>> Currently freeradius seems not supporting SSL_MODE_NO_AUTO_CHAIN.
>> However, in some situations, that is needed.
>>
>> Following is the patch we used to enable that support in our work.
>>
>> Please consider to add this to code repository.
>>
>> Thanks a lot!
>>
>>
>>
>> --------------------------------------------------------------------------------
>> diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
>> index 10026ec..5c3d0bf 100644
>> --- a/raddb/mods-available/eap
>> +++ b/raddb/mods-available/eap
>> @@ -264,6 +264,8 @@ eap {
>> #
>> # include_length = yes
>>
>> + # enable_auto_chain = yes
>> +
>> # Check the Certificate Revocation List
>> #
>> # 1) Copy CA certificates and CRLs to same directory.
>> diff --git a/src/include/tls-h b/src/include/tls-h
>> index a41c6f5..f4345fd 100644
>> --- a/src/include/tls-h
>> +++ b/src/include/tls-h
>> @@ -338,6 +338,7 @@ struct fr_tls_server_conf_t {
>> uint32_t verify_depth;
>> bool file_type;
>> bool include_length;
>> + bool enable_auto_chain;
>> bool disable_tlsv1;
>> bool disable_tlsv1_1;
>> bool disable_tlsv1_2;
>> diff --git a/src/main/tls.c b/src/main/tls.c
>> index 9df48b4..caa8713 100644
>> --- a/src/main/tls.c
>> +++ b/src/main/tls.c
>> @@ -998,6 +998,7 @@ static CONF_PARSER tls_server_config[] = {
>> { "random_file", FR_CONF_OFFSET(PW_TYPE_STRING,
>> fr_tls_server_conf_t, random_file), NULL },
>> { "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER,
>> fr_tls_server_conf_t, fragment_size), "1024" },
>> { "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN,
>> fr_tls_server_conf_t, include_length), "yes" },
>> + { "enable_auto_chain", FR_CONF_OFFSET(PW_TYPE_BOOLEAN,
>> fr_tls_server_conf_t, enable_auto_chain), "yes" },
>> { "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN,
>> fr_tls_server_conf_t, check_crl), "no" },
>> #ifdef X509_V_FLAG_CRL_CHECK_ALL
>> { "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN,
>> fr_tls_server_conf_t, check_all_crl), "no" },
>> @@ -2565,6 +2566,10 @@ post_ca:
>> #endif
>> #endif
>>
>> + if (!conf->enable_auto_chain) {
>> + SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN);
>> + }
>> +
>> /* Set Info callback */
>> SSL_CTX_set_info_callback(ctx, cbtls_info);
>>
>>
>>
>> --------------------------------------------------------------------------------
>>
>> --
>> Best Regards,
>> Chenggang Tang | 汤承刚
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/devel.html
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
More information about the Freeradius-Devel
mailing list