14 Mar
2018
14 Mar
'18
4:23 a.m.
On Mar 14, 2018, at 7:23 AM, Stefan Winter <stefan.winter@RESTENA.LU> wrote:
Hi,
One thing that i’m slightly unsure of is whether we should allow multiple key pairs on the client side too (I did for completeness), presumably crypto agility can be utilised by both TLS peers?
I don't think that's necessary: for client cert validation, you don't need private keys and can already use the _dir option if you have more than one CA.
Sorry, wasn’t clear. The SSL_CTX configuration code is common for both TLS servers and TLS clients, and is used for both EAP and RADSEC. In this case FreeRADIUS would be acting as a TLS client for RADSEC. -Arran