Le 8 sept. 2014 à 14:31, Alan DeKok a écrit :
Axel Luttgens wrote:
It "works", in the sense that a client connecting thru TTLS receives both certificates, which is exactly what I want. :-)
OK.
Now, it is true that I currently don't implement TLS.
What does that mean? EAP-TLS is enabled in v3 by adding a "tls {...}" block to mods-available/eap. Then, creating client certificates and adding them to the clients.
Hello Alan, Reading that part of the comments: # This parameter is used only for EAP-TLS, # when you issue client certificates. If you do # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. ca_file = /path/to/my_root_ca_cert.pem I was under the impression that EAP-TLS authentication attempts wouldn't be allowed by FR when commenting out the "ca_file = ..." line. Since I currently haven't made any provision for EAP-TLS (handling of client certificates and so on), this could perhaps be a good thing.
Putting above comments together, it seems that I could thus comment out the "ca_file = ..." line, and merge both certificates, my_server_cert.pem and my_root_ca_cert.pem, into a single file, say "my_combined_certs". And then define: certificate_file = /path/to/my_combined_certs
To do what?
Currently, to disallow EAP-TLS auths. Moreover, should I later decide to implement certificate-based authentications, this wouldn't happen thru certificates emitted by my ad hoc Root CA, but thru certificates emitted by an intermediary CA certified by my Root CA; my current "ca_file = ..." setting would thus be wrong anyway. Therfore, that comment: # If ca_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = /path/to/my_server_cert.pem seemed to support both the ideas of not having to worry now about EAP-TLS auth attempts and of having a config consistent with what might happen here in the future. Of course, my understanding of those comments may be completely wrong, and I thus wanted to get some feedback before erring in the dark...
[...]
Would a simple cat of the two certificates (currently in PEM format) be sufficient?
How about trying it?
Yes, of course. ;-) Axel