Very true, thank you for pointing that out as well. Note to anyone following: If you use a certificate signed by a general authority (verisign for example) then anyone with a verisign cert will be trusted in your place, and able to "authenticate" your users, IE as a man in the middle. They'll have access to the un-encrypted password payload (NT, cleartext), which is a severe security compromise. That's why you (should) always use an internal Certificate Authority, where you control which certs are signed and distributed. On 9/20/2011 00:31, Alan DeKok wrote:
Christ Schlacta wrote:
I thought if you had a certificate signed by a trusted root CA, you were good and didn't need to install anything on the client. It's true that you don't need to install anything on the client. It's *not* true that it's a good idea.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html