On Mar 13, 2018, at 7:00 AM, Stefan Winter <stefan.winter@RESTENA.LU> wrote:
Hi,
so, with a bit of luck, this needs just a new config option in modules/eap to allow specifying more than one certificate; and a small amount of code to load both certs.
https://github.com/FreeRADIUS/freeradius-server/commit/e8df16d097c961ee80dd2... Pretty much. Due to the way OpenSSL validates private/public key pairs (see SSL_CTX_check_private_key - https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_use_certificate.html) the certificate and private_key need to be loaded consecutively so it’s better to specify them together in a configuration stanza, then allow multiple instances of that stanza. certificate { pem_file_type = yes certificate_file = “<path>” private_key_password = “<password>" private_key_file = “<path>" } Using multiple certificate stanzas also allows different passwords to be specified for different pairs, and a mixture of ASN1 and PEM certs. One thing that i’m slightly unsure of is whether we should allow multiple key pairs on the client side too (I did for completeness), presumably crypto agility can be utilised by both TLS peers? Not back porting this to v3. The config parser isn’t sophisticated enough to so the same dynamic structure allocation, and it’d be a breaking change. -Arran