Hi, I am setting up a FreeRADIUS server for our wireless network and I was asked if I can disable the distribution of the public certificate I search around in the www but could not find a solution for this. Is there a way to implement this feature in my setup? I am using FreeRADIUS 2.1.10 on debian squeeze Julian
On 12/21/2010 09:43 AM, Julian Labus wrote:
Hi,
I am setting up a FreeRADIUS server for our wireless network and I was asked if I can disable the distribution of the public certificate I search around in the www but could not find a solution for this. Is there a way to implement this feature in my setup?
Perhaps you should explain which public certificate you're talking about and why you want to disable this. FWIW public certificates are sent as part of the SSL/TLS protocol, you can't disable this if you're using SSL/TLS. The whole point of a public cert is that not only is it safe to distribute, but it is intended to be distributed which makes your question perplexing. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Yes, I was talking about the TLS public certificate, sorry for leaving this out. The reason for that is that you only have the ability to connect to the hotspot if you have manually installed the public cert on your client before connecting. On 12/21/2010 04:10 PM, John Dennis wrote:
On 12/21/2010 09:43 AM, Julian Labus wrote:
Hi,
I am setting up a FreeRADIUS server for our wireless network and I was asked if I can disable the distribution of the public certificate I search around in the www but could not find a solution for this. Is there a way to implement this feature in my setup?
Perhaps you should explain which public certificate you're talking about and why you want to disable this.
FWIW public certificates are sent as part of the SSL/TLS protocol, you can't disable this if you're using SSL/TLS. The whole point of a public cert is that not only is it safe to distribute, but it is intended to be distributed which makes your question perplexing.
-- \ / Sol-3 GmbH& Co. KG Julian Labus --o-- Sol-3 An der Klostermühle 1 Phone: +49 6123 7029 18 / \ D-65399 Kiedrich Fax: +49 6123 7029 29 USt-ID: DE 204978307 eMail: jl@sol-3.de Register: WI HRA 6607 Komplementär: Sol-3 Verwaltungs-GmbH Register: WI HRB 117786 Geschäftsführer: Norbert Geus, Dirk Zoller
On 12/21/2010 10:22 AM, Julian Labus wrote:
Yes, I was talking about the TLS public certificate, sorry for leaving this out.The reason for that is that you only have the ability to connect to the hotspot if you have manually installed the public cert on your client before connecting.
No, I think you're confused. Perhaps you're referring to the trusted CA cert used to sign your public server cert. The CA which signed your server cert has to be installed as a trusted CA on the client (or resolve to one via a cert chain). Generally you don't want clients to install trusted CA certs. Therefore your server cert must be signed by a CA which is normally trusted and hence previously installed. Usually that means a commercial CA which you pay to sign your server cert. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Hi,
Yes, I was talking about the TLS public certificate, sorry for leaving this out.The reason for that is that you only have the ability to connect to the hotspot if you have manually installed the public cert on your client before connecting.
No, I think you're confused. Perhaps you're referring to the trusted CA cert used to sign your public server cert. The CA which signed your server cert has to be installed as a trusted CA on the client (or resolve to one via a cert chain).
Generally you don't want clients to install trusted CA certs. Therefore your server cert must be signed by a CA which is normally trusted and hence previously installed. Usually that means a commercial CA which you pay to sign your server cert.
aye. you dont HAVE to install the server public cert as that will be transferred to the client during the creation of the SSL/TLS tunnel. what the client does need, AND trust, is the public cert of the CA that signed the server. in this way, the web of trust is created. so...if you have a public system I'd advice you use a well known CA to sign your server... a CA whose public keys are already in the OS. for a private, closed loop system - eg 802.1X authentication I'd still go for a private CA - yes, you have the issue of CA distribution onto the clients but you avoid the issue that anyone can pay and get a CA signed by a well known CA that your clients would trust (closed-loop method) alan
Ok, thanks to all for making this clear. I'm not very familiar with SSL/TLS so I misunderstood this function from SSL/TLS. On 12/21/2010 05:43 PM, Alan Buxey wrote:
Hi,
Yes, I was talking about the TLS public certificate, sorry for leaving this out.The reason for that is that you only have the ability to connect to the hotspot if you have manually installed the public cert on your client before connecting.
No, I think you're confused. Perhaps you're referring to the trusted CA cert used to sign your public server cert. The CA which signed your server cert has to be installed as a trusted CA on the client (or resolve to one via a cert chain).
Generally you don't want clients to install trusted CA certs. Therefore your server cert must be signed by a CA which is normally trusted and hence previously installed. Usually that means a commercial CA which you pay to sign your server cert.
aye. you dont HAVE to install the server public cert as that will be transferred to the client during the creation of the SSL/TLS tunnel. what the client does need, AND trust, is the public cert of the CA that signed the server.
in this way, the web of trust is created.
so...if you have a public system I'd advice you use a well known CA to sign your server... a CA whose public keys are already in the OS.
for a private, closed loop system - eg 802.1X authentication I'd still go for a private CA - yes, you have the issue of CA distribution onto the clients but you avoid the issue that anyone can pay and get a CA signed by a well known CA that your clients would trust (closed-loop method)
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- \ / Sol-3 GmbH& Co. KG Julian Labus --o-- Sol-3 An der Klostermühle 1 Phone: +49 6123 7029 18 / \ D-65399 Kiedrich Fax: +49 6123 7029 29 USt-ID: DE 204978307 eMail: jl@sol-3.de Register: WI HRA 6607 Komplementär: Sol-3 Verwaltungs-GmbH Register: WI HRB 117786 Geschäftsführer: Norbert Geus, Dirk Zoller
Hi,
I am setting up a FreeRADIUS server for our wireless network and I was asked if I can disable the distribution of the public certificate I search around in the www but could not find a solution for this. Is there a way to implement this feature in my setup?
I'm seeking clarification of what you mean here. the clients will need the public key of your server or they wont be able to validate your server when they authenticate against it - you know, the very important bit in the client config where you verify the server, its CA and its name (CN from cert) alan
participants (3)
-
Alan Buxey -
John Dennis -
Julian Labus