virtual server configuration

usawebbox at fastmail.fm usawebbox at fastmail.fm
Sat Mar 22 01:51:53 CET 2008


On Wed, 19 Mar 2008 07:30:53 +0100, "Alan DeKok"
<aland at deployingradius.com> said:
> usawebbox at fastmail.fm wrote:
> 
> > All you need is a server cert and private
> > key. In PEAP, the client is the one who needs the CA cert, if he wants
> > to verify the server cert, but even that is optional.
> 
>   The CA cert is needed by OpenSSL to validate the server cert.
> 

I did not know this. I've always provided it, but I didn't know it was
required.

> > Anyway, can we say now that not providing a CA_file doesn't work?
> 
>   Provide a CA cert as instructed, either in CA_file or in
>   certificate_file.
> 

I wasn't clear enough this time, but I have tried to include it in
certificate_file, first with my original certs, then with certs issued
from my local CA, then with the example certs created by make ca server.
My eap.conf TLS section is:

tls {
    certdir = ${confdir}/certs
    cadir = ${confdir}/certs
    private_key_password = whatever
    private_key_file = ${certdir}/server.key
    certificate_file = ${certdir}/server-ca.crt
    #CA_file = ${cadir}/ca.pem
    dh_file = ${certdir}/dh
    random_file = ${certdir}/random
    cipher_list = "DEFAULT"
}

server-ca.crt is created thus:
cat ca.pem server.crt > server-ca.crt

In all cases the server does not initialize, with the error:
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
rlm_eap_tls: Error reading Trusted root CA list (null)
rlm_eap: Failed to initialize type tls

If I uncomment the CA_file line, then peap works normally, and the
server cert is validated with ca.pem on the client side.

Either I am not making the combined ca/server cert correctly, or this is
not working (v2.0.2)
-- 
  
  usawebbox at fastmail.fm

-- 
http://www.fastmail.fm - Send your email first class




More information about the Freeradius-Users mailing list