Re: Sending CA certificate during EAP-TLS
Reimer Karlsen-Masur, DFN-CERT escribió:
Hi Karlsen,
thanks for the answer, please see inline...
Argh, your misunderstanding is because of the inline
documentation/default setup of the eap config file.
*Trusted* CAs for client auth are stored in
CA_file
or
CA_path
So there is no conflict here with certificate_file option.
And IMO usually CA_file and certificate_file should *not* contain the
same CA certs
Well in my current configuration I have the RADIUS server certificate in
certificate_file and CA certificate in CA_file.
But with that configuration , the radius server is still sending the CA
certificate.
Having said that , your proposal was to not include the CA certificate
in the RADIUS server certificate (in certificate_file variable)
My RADIUS server certificate does not have the CA certificate included.
Even so, the RADIUS server is including the CA certificate :(...
any alternative solution?.
because I guess in the majority of cases the RADIUS server cert is
issued by some (commercial) server CA where as the client certs are
mostly issued by some home grown user CA.
Saying that there might be cases where the CA certificates from
CA_file are indeed the CA chain certs of the RADIUS server
certificate.....
------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This archive was generated by a fusion of
Pipermail (Mailman edition) and
MHonArc.