Sending CA certificate during EAP-TLS

Eshun Benjamin bkeshun at yahoo.fr
Wed Jun 20 19:18:24 CEST 2007


Well in my current configuration I have the RADIUS server certificate in 
certificate_file and CA certificate in CA_file.

But with that configuration , the radius server is still sending the CA 
certificate.

The CA_path folder is empty and the CA_file is commented out. This should work for you.

tls {
                        #
                        #  These is used to simplify later configurations.
                        #
                        certdir = ${raddbdir}/certs
                        cadir = ${raddbdir}/certs/trustedCA

                        private_key_password = whatever
                        private_key_file = ${certdir}/server.pem
                        certificate_file = ${certdir}/server.pem

                        #  Trusted Root CA list - CA_path folder is empty
                #       CA_file = ${cadir}/ca.pem
                        CA_path = ${raddbdir}/certs/trustedCA
                       
                        dh_file = ${certdir}/dh
                        random_file = ${certdir}/random

                      
                #       fragment_size = 1024

                      
                #       include_length = yes

                      
                #       check_crl = yes

                    
                #       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"

                      
                #       check_cert_cn = %{User-Name}
                #
                        # Set this option to specify the allowed
                        # TLS cipher suites.  The format is listed
                        # in "man 1 ciphers".
                        cipher_list = "DEFAULT"

                        
                        #make_cert_command = "${certdir}/bootstrap"
                }


 
================================================== 
Benjamin K. Eshun

----- Message d'origine ----
De : Rafa Marín López <rafa.marinlopez at gmail.com>
À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc : Rafa Marin Lopez <rafa at dif.um.es>
Envoyé le : Mercredi, 20 Juin 2007, 18h10mn 12s
Objet : Re: Sending CA certificate during EAP-TLS

Reimer Karlsen-Masur, DFN-CERT escribió:

Hi Karlsen,

thanks for the answer, please see inline...
>
> Argh, your misunderstanding is because of the inline 
> documentation/default setup of the eap config file.
>
> *Trusted* CAs for client auth are stored in
>
> CA_file
>
> or
>
> CA_path
>
> So there is no conflict here with certificate_file option.
>
> And IMO usually CA_file and certificate_file should *not* contain the 
> same CA certs
Well in my current configuration I have the RADIUS server certificate in 
certificate_file and CA certificate in CA_file.

But with that configuration , the radius server is still sending the CA 
certificate.

Having said that , your proposal was to not include the CA certificate 
in the RADIUS server certificate (in certificate_file variable)

My RADIUS server certificate does not have the CA certificate included. 
Even so, the RADIUS server is including the CA certificate :(...

any alternative solution?.

> because I guess in the majority of cases the RADIUS server cert is 
> issued by some (commercial) server CA where as the client certs are 
> mostly issued by some home grown user CA.
>
> Saying that there might be cases where the CA certificates from 
> CA_file are indeed the CA chain certs of the RADIUS server 
> certificate.....
>
> ------------------------------------------------------------------------
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html








      _____________________________________________________________________________ 
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070620/c3615e18/attachment.html>


More information about the Freeradius-Users mailing list