On Wed, 30 Nov 2022 at 19:15, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 30, 2022, at 1:42 PM, James Narey via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
I'm working on an existing FreeRADIUS 3.0.25 implementation, in particular the REST module.
The current configuration sets the following config items in the tls block:
cacertdir cacertfile verify_cert
These don't appear in the default rest config for 3.0.x. The do appear in the NetworkRADIUS wiki, though the first two do not have descriptions. This page's 'Default Config' link goes to the same file - mods-available/rest in the 3.0.x branch.
The TLS configuration for the "rest" module is documented in mods-available/rest. Anything not documented there doesn't work.
For EAP and RadSec, we've implemented all of the TLS bits ourselves. Which means that there are a ton of configuration options for TLS.
For the Rest module, we have to use the libcurl API. And that exposes fewer configuration options for TLS.
I'm unsure which names to be using and, while the names of the top two are descriptive, it would be helpful to see some documentation before continuing to rely on them.
The documentation in mods-available/rest is up to date, and is correct.
It would also be helpful to know whether there is a reason to use verify_cert vs check_cert, though it is clear at least that these do the same thing.
You can't use them with the Rest module.
check_cert is in the documentation in mods-available/rest so I'm assuming, based on the point above, that it's OK? (verify_cert isn't).
For EAP and Radsec, these configuration items are documented in mods-available/eap, among other places.
Alan DeKok.
Thank you so much for the helpful reply.