Re : Sending CA certificate during EAP-TLS

Well in my current configuration I have the RADIUS server certificate in
certificate_file and CA certificate in CA_file.

But with that configuration , the radius server is still sending the CA
certificate.

The CA_path folder is empty and the CA_file is commented out. This should work for you.

tls {
                        #
                        #  These is used to simplify later configurations.
                        #
                        certdir = ${raddbdir}/certs
                        cadir = ${raddbdir}/certs/trustedCA

                        private_key_password = whatever
                        private_key_file = ${certdir}/server.pem
                        certificate_file = ${certdir}/server.pem

                        #  Trusted Root CA list - CA_path folder is empty
                #       CA_file = ${cadir}/ca.pem
                        CA_path = ${raddbdir}/certs/trustedCA
                      
                        dh_file = ${certdir}/dh
                        random_file = ${certdir}/random

                     
                #       fragment_size = 1024

                     
                #       include_length = yes

                     
                #       check_crl = yes

                   
                #       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"

                     
                #       check_cert_cn = %{User-Name}
                #
                        # Set this option to specify the allowed
                        # TLS cipher suites.  The format is listed
                        # in "man 1 ciphers".
                        cipher_list = "DEFAULT"

                       
                        #make_cert_command = "${certdir}/bootstrap"
                }


 
==================================================
 
Benjamin K. Eshun


----- Message d'origine ----
De : Rafa Marín López <rafa.marinlopez@gmail.com>
À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Cc : Rafa Marin Lopez <rafa@dif.um.es>
Envoyé le : Mercredi, 20 Juin 2007, 18h10mn 12s
Objet : Re: Sending CA certificate during EAP-TLS

Reimer Karlsen-Masur, DFN-CERT escribió:

Hi Karlsen,

thanks for the answer, please see inline...
>
> Argh, your misunderstanding is because of the inline
> documentation/default setup of the eap config file.
>
> *Trusted* CAs for client auth are stored in
>
> CA_file
>
> or
>
> CA_path
>
> So there is no conflict here with certificate_file option.
>
> And IMO usually CA_file and certificate_file should *not* contain the
> same CA certs
Well in my current configuration I have the RADIUS server certificate in
certificate_file and CA certificate in CA_file.

But with that configuration , the radius server is still sending the CA
certificate.

Having said that , your proposal was to not include the CA certificate
in the RADIUS server certificate (in certificate_file variable)

My RADIUS server certificate does not have the CA certificate included.
Even so, the RADIUS server is including the CA certificate :(...

any alternative solution?.

> because I guess in the majority of cases the RADIUS server cert is
> issued by some (commercial) server CA where as the client certs are
> mostly issued by some home grown user CA.
>
> Saying that there might be cases where the CA certificates from
> CA_file are indeed the CA chain certs of the RADIUS server
> certificate.....
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.