Hi there, Recently I upgraded from freeradius 3.0.26 (with openssl 3.0.20) to 3.2.7/3.2.8, (with openssl 3.5.0), and I noticed that the server does not send the full certificate chain to the EAP client anymore. The server certificate has a chained structure like cert->intermediate CA2->intermediate CA1->root CA, and I am relying on the auto_chain and the ca_path to construct the chain on the freeradius side. Now it only sends the server_certificate + intermediate CA2, but previously it sent all *four* certificates. Is this a known issue? Regards, Dave
On Jun 29, 2026, at 7:56 PM, Dave Wang <dave.ftnt@gmail.com> wrote:
Recently I upgraded from freeradius 3.0.26 (with openssl 3.0.20) to 3.2.7/3.2.8,
Why not use 3.2.10?
(with openssl 3.5.0), and I noticed that the server does not send the full certificate chain to the EAP client anymore.
The server certificate has a chained structure like cert->intermediate CA2->intermediate CA1->root CA, and I am relying on the auto_chain and the ca_path to construct the chain on the freeradius side.
Now it only sends the server_certificate + intermediate CA2, but previously it sent all *four* certificates. Is this a known issue?
No, but it might be related to differing OpenSSL behavior. Disable auto_chain, and create the chains manually. As the comments for auto_chain say, sometimes OpenSSL gets it wrong. Alan DeKok.
participants (2)
-
Alan DeKok -
Dave Wang