"Manual" certificate checking
Sven Dreyer
sven at dreyer-net.de
Mon Jul 9 14:27:21 CEST 2012
Am 09.07.2012 14:18, schrieb Phil Mayers:
>> - The phones have the Sub CA certificate locally installed as
>> "trustworthy" (NOT the Root CA certificate!)
>> - The RADIUS server must only send its server certificate (not the whole
>> chain)
>
> Why?
Not my decision - our customer said something like "that's the way it
works in our network". I suggested to send the whole chain, but their
answer was like "no RFC forces anyone to send the whole chain, so it
must work that way".
>> - I only put the RADIUS server certificate to certificate_file. But as
>> soon as CA_path or CA_file are set, FreeRADIUS sends the whole
>> certficiate chain to the phone.
>
> I'm afraid the current TLS code works that way. You would need to patch
> the source if you want a different set of server CA and client CA objects.
Thanks for that, I already suspected something like this.
Best regards, Sven
More information about the Freeradius-Users
mailing list