Hello, ernestly: This discussion is a real pity. The matter is complex, and the questions raised may be relevant for more users. Could everyone please take the personal fierceness out of the dispute and stick to the technical points? Unfortunately, my experience with EAP-TLS is very limited, but obviously we would prefer it for our Clients in the future, too. Watching discussions on this list is often a good way to see what problems might lie ahead when, e.g. using a feature you have not used before. So I would really like to understand things, but it seems sort of hard to match the two points of view. Roberto: We DO need to log bulletproof cert details like serial number. Alan: Go set up your clients in a sane way, then you get your correlation for free. Roberto: We already try, but vendors won't play along. Alan: Then we are far from standards, and the default config cannot cover every weird situation that might arise. But there's always a way to fix it through the config. Roberto: But the default config/FR's processing MUST cover this, otherwise it a crap, security-wise. Roberto, you've really dived deeply into your specific kind of problem. Why not submit patches that try to improve the default config, if it is this clear what is missing? I would really be interested to see what exactly should change. What I haven't understood so far: Given Roberto's situation, _can_ you tweak the config to log the data he wants, or would you need to change the processing at some point (e.g. changing openssl lib calls to extract more information)? Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg