It is the same virtual machine. I reinstalled FR 3.0.20, and I saw the "reject_unknown_intermediate_ca" parameter does not exist in this version. If I add this to eap configuration, it is not loaded during server starts. So, is the value 'yes' implicit in this branch ? -----Message d'origine----- De : Freeradius-Users <freeradius-users-bounces+ludovic.senecaux=lenord.fr@lists.freeradius.org> De la part de Alan DeKok Envoyé : mardi 23 janvier 2024 16:03 À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Objet : Re: FreeRADIUS EAP-TLS Auth. Issues Soyez vigilant, ce courriel est émis depuis l'extérieur. N'ouvrez les fichiers ou cliquez sur les liens que si vous êtes sûr de l'adresse mail de l'expéditeur. On Jan 23, 2024, at 9:54 AM, SENECAUX Ludovic <Ludovic.SENECAUX@lenord.fr> wrote:
I checked again my 2 radius servers ; if I set " reject_unknown_intermediate_ca = yes" : - 3.0.20 (PROD) : eap-tls auth. is ok - 3.2.3 (DEV): eap-tls auth. is broken
Same OS version, same OpenSSL version, same Radius config.
That's unfortunate. Looking at the two versions, the TLS code is in src/main/cb.c, and src/main/tls.c The "cb.c" file is identical to v3.0, other than some changes to the debug output. The "tls.c" file shows a few more differences, but those are largely debug output changes, or new features which don't affect certificate validation. I'd double-check the systems. If this the same machine and the two versions of FreeRADIUS are different, then the issue is FreeRADIUS. If the two systems are different (magically somehow), then maybe there's some other OpenSSL issue which is causing the difference. i.e. it's not enough to say "same version of OpenSSL". There's all kinds of magic going on behind the scenes that I'm not aware of, such as vendor patches to code, configuration, etc. Also, please check that you're running packages from https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aOc46Ydi7tsNu-y... If you're running packages supplied by the OS vendor, those are very often patched and different (i.e. broken) in odd ways. Alan DeKok. - List info/subscribe/unsubscribe? See https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aOc46Ydi7tsNu-y...