Terry Simons wrote:
I'm running into an issue where FreeRADIUS allows an invalid certificate (one not signed by my configured CA) to successfully authenticate to EAP-TLS.
Well... the code which prints the error "verify error:num=20:" is in the "verify certificate callback" function. It's returning FALSE to OpenSSL. OpenSSL *should* return that error back up the call chain to the functions in src/modules/libeap/. They look for error returns from OpenSSL, and stop the conversation if so.
There's a message in the log that clearly indicates that the CA wasn't found (--> verify error:num=20:unable to get local issuer certificate) , yet my authentication succeeds.
I'm using FreeRADIUS version 2.1.10 with a largely default configuration (home-grown certificates).
Does it fail authentication with another version of FreeRADIUS? If not, it's an OpenSSL problem.
I want this authentication to fail because the certificate that the client is using was not signed by the CA that I have configured with the CA_file directive, therefore it should be considered an invalid EAP-TLS attempt.
Has anyone seen this before?
Nope. I'm not a crypto person. FreeRADIUS hands the SSL stuff to OpenSSL, which does it's magic to verify the certs. Alan DeKok.