Hi, hm, added a comment to that commit. I don't trust GitHub enough to assume you've been notified and have seen it (did you?) Stefan Am 13.03.2018 um 19:20 schrieb Arran Cudbard-Bell:
On Mar 13, 2018, at 7:00 AM, Stefan Winter <stefan.winter@RESTENA.LU> wrote:
Hi,
so, with a bit of luck, this needs just a new config option in modules/eap to allow specifying more than one certificate; and a small amount of code to load both certs.
https://github.com/FreeRADIUS/freeradius-server/commit/e8df16d097c961ee80dd2...
Pretty much. Due to the way OpenSSL validates private/public key pairs (see SSL_CTX_check_private_key - https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_use_certificate.html) the certificate and private_key need to be loaded consecutively so it’s better to specify them together in a configuration stanza, then allow multiple instances of that stanza.
certificate { pem_file_type = yes certificate_file = “<path>” private_key_password = “<password>" private_key_file = “<path>" }
Using multiple certificate stanzas also allows different passwords to be specified for different pairs, and a mixture of ASN1 and PEM certs.
One thing that i’m slightly unsure of is whether we should allow multiple key pairs on the client side too (I did for completeness), presumably crypto agility can be utilised by both TLS peers?
Not back porting this to v3. The config parser isn’t sophisticated enough to so the same dynamic structure allocation, and it’d be a breaking change.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66