EAP-TLS with TLS 1.3
Stefan Winter
stefan.winter at restena.lu
Wed Mar 14 08:28:26 CET 2018
Hi,
hm, added a comment to that commit. I don't trust GitHub enough to
assume you've been notified and have seen it (did you?)
Stefan
Am 13.03.2018 um 19:20 schrieb Arran Cudbard-Bell:
>
>
>> On Mar 13, 2018, at 7:00 AM, Stefan Winter <stefan.winter at RESTENA.LU> wrote:
>>
>> Hi,
>>
>> so, with a bit of luck, this needs just a new config option in
>> modules/eap to allow specifying more than one certificate; and a small
>> amount of code to load both certs.
>
> https://github.com/FreeRADIUS/freeradius-server/commit/e8df16d097c961ee80dd23f85965d74b27849126
>
> Pretty much. Due to the way OpenSSL validates private/public key pairs (see SSL_CTX_check_private_key - https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_use_certificate.html) the certificate and private_key need to be loaded consecutively so it’s better to specify them together in a configuration stanza, then allow multiple instances of that stanza.
>
> certificate {
> pem_file_type = yes
> certificate_file = “<path>”
> private_key_password = “<password>"
> private_key_file = “<path>"
> }
>
> Using multiple certificate stanzas also allows different passwords to be specified for different pairs, and a mixture of ASN1 and PEM certs.
>
> One thing that i’m slightly unsure of is whether we should allow multiple key pairs on the client side too (I did for completeness), presumably crypto agility can be utilised by both TLS peers?
>
> Not back porting this to v3. The config parser isn’t sophisticated enough to so the same dynamic structure allocation, and it’d be a breaking change.
>
> -Arran
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20180314/b58144a1/attachment.sig>
More information about the Freeradius-Devel
mailing list