[Solved] Re: FR 3.0.21 on Debian Buster not setting EAP_TLS "More fragments" bit where needed?

Martin Pauly pauly at hrz.uni-marburg.de
Wed Aug 19 19:34:16 CEST 2020


Hi,

the issue is solved--well, sort of. As some expected, it comes down to openssl.
As a "server cert", FR is best fed the server cert itself with the intermediate certs appended right after.
My misunderstanding was that you would put the intermediates (we have two) into ca_file (which had worked for me
for many years and versions). What happened was similar to what you see when you try to read a file with e.g.
openssl x509 -in file-with-two-certs-inside -text
Only the first one will be processed. So it looks like the openssl call on only consumed the first cert from my
ca_file, but still considered the chain complete. Equipped with this chain lacking the 2nd intermediate cert,
the server happily presented it to the clients. The EAP message delivering cert+chain was formally complete,
the M bit was set _correctly_ in its last packet. Its contents was badly incomplete, though.

Thanks a lot to those who helped with this
Martin

-- 
   Dr. Martin Pauly     Phone:  +49-6421-28-23527
   HRZ Univ. Marburg    Fax:    +49-6421-28-26994
   Hans-Meerwein-Str.   E-Mail: pauly at HRZ.Uni-Marburg.DE
   D-35032 Marburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5391 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20200819/451a4124/attachment-0001.bin>


More information about the Freeradius-Users mailing list