On Wed, 19 Mar 2008 07:30:53 +0100, "Alan DeKok" <aland@deployingradius.com> said:
usawebbox@fastmail.fm wrote:
All you need is a server cert and private key. In PEAP, the client is the one who needs the CA cert, if he wants to verify the server cert, but even that is optional.
The CA cert is needed by OpenSSL to validate the server cert.
I did not know this. I've always provided it, but I didn't know it was required.
Anyway, can we say now that not providing a CA_file doesn't work?
Provide a CA cert as instructed, either in CA_file or in certificate_file.
I wasn't clear enough this time, but I have tried to include it in certificate_file, first with my original certs, then with certs issued from my local CA, then with the example certs created by make ca server. My eap.conf TLS section is: tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server-ca.crt #CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" } server-ca.crt is created thus: cat ca.pem server.crt > server-ca.crt In all cases the server does not initialize, with the error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) rlm_eap_tls: Error reading Trusted root CA list (null) rlm_eap: Failed to initialize type tls If I uncomment the CA_file line, then peap works normally, and the server cert is validated with ca.pem on the client side. Either I am not making the combined ca/server cert correctly, or this is not working (v2.0.2) -- usawebbox@fastmail.fm -- http://www.fastmail.fm - Send your email first class