On Mar 14, 2018, at 1:57 PM, Stefan Winter <stefan.winter@RESTENA.LU> wrote:
Hi,
Sorry, wasn’t clear. The SSL_CTX configuration code is common for both TLS servers and TLS clients, and is used for both EAP and RADSEC. In this case FreeRADIUS would be acting as a TLS client for RADSEC.
Ah. Well the cert length considerations are really about EAP as the data channel is so narrow and peculiar.
In a RadSec connection, length of the cert is a NOOP consideration.
Of course if you really want to have two distinct certs for actual security reasons(?), then yes, multiple client certs would be useful there.
OK, yes, that’s what I was querying. I guess it’d also allow you to select different certificates depending on the CA list advertised by the server, as well as different certificates for crypto agility. -Arran