Jorgen Rosink wrote:
On 2/13/06, Norbert Wegener <nw@sbs.de> wrote:
Alan DeKok wrote: 1.0.x doesn't support certificate chains. 1.1.0 does.
hm: Script started on Mon Feb 13 19:34:45 2006
lnxad:/etc # radiusd -v radiusd: FreeRADIUS Version 1.1.0, for host , built on Feb 13 2006 at 19:31:10
Did have the same issue like you last week, Alan pointed me to the required extensions needed in the certificates to use with FreeRadius.
[ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1
In my case these extensions where missing in the certificate I got, did you check yours ?
Thanks, but this seems not to be the problem. Those exensions exist in the certificate. At least I am able to see them, when importing the certificate into windows: Serverauthentication(1.3.6.1.5.5.7.3.1) Clientauthentication(1.3.6.1.5.5.7.3.2) Ip-security-IKE,intermediate(1.3.6.1.5.5.8.2.2) and the same certificate with openssl shows me: ... X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment 1.3.6.1.4.1.311.21.7: 0,.$+.....7...........$...@...n5...=......d... X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, 1.3.6.1.5.5.8.2.2 1.3.6.1.4.1.311.21.10: That should be sufficient, correct? So maybe there is another reason for that problem? Norbert Wegener
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html