CA_file vs. CA_path

[David Mitchell]

David Mitchell wrote:
> Alan DeKok wrote:
>> David Mitchell wrote:
>>> I now have 2.1.10 compiled and running. It seems to work fine. I did
>>> have to make one change to my configuration. I had been using CA_path to
>>> refer to the certificates which can authenticate clients for EAP-TLS
>>> authentication in 2.1.8. In 2.1.10, that doesn't seem to work. If I
>>> specify a single file via CA_file that works fine. I can manage either
>>> way I think since the file referenced in CA_file can contain multiple
>>> certificates. I did verify that I had run 'c_rehash' in my CA_path
>>> directory. I'm not sure why CA_path doesn't work since the OpenSSL docs
>>> indicate that they are largely interchangable. Is it an intentional
>>> change?
>>   Nope.  It's not an intentional change.  I don't know why it would be
>> different.
> 
> I did change OpenSSL versions as well so I can't say for sure that it
> has anything to do with FreeRadius. I'll try and poke around some and
> see if I can figure out what's going on. Thanks for confirming it wasn't
> meant to change.

I've done some recompiling and I believe that the new behavior is due to
the new version of OpenSSL. If I compile FreeRadius using the default
Debian OpenSSL (0.9.8g) I can use CA_path as expected. Compiling
FreeRadius and specifying the locally installed OpenSSL 1.0.0a results
in CA_path not working. In both cases I was compiling FR 2.1.9. I have
not dug into the OpenSSL code. I've looked in there before and it scares
me ;-)

-David

> 
> -David
> 
>>   Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 
> 


-- 
-----------------------------------------------------------------
| David Mitchell (mitchell at ucar.edu)       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |
-----------------------------------------------------------------