We use EAP-TLS method, but in the Server Hello message don't want to send the certificate. How can it be disabled
On 06/01/2011 08:28 PM, Lubenski, Zeev [GCS] wrote:
We use EAP-TLS method, but in the Server Hello message don’t want to send the certificate. How can it be disabled
It can't. EAP-TLS requires a server certificate and a client certificate. Neither are optional, and neither can be disabled.
Paul In the RFC 5216 I see: The EAP server will then respond with an EAP-Request packet with AP-Type=EAP-TLS. The data field of this packet will encapsulate one or more TLS records. These will contain a TLS server_hello handshake message, possibly followed by TLS certificate This leads to believe that certificate is not mandatory ? Regards Zeev -----Original Message----- From: freeradius-users-bounces+zlubensk=lgsinnovations.com@lists.freeradius.org [mailto:freeradius-users-bounces+zlubensk=lgsinnovations.com@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, June 01, 2011 2:58 PM To: freeradius-users@lists.freeradius.org Subject: Re: Server Sertificate On 06/01/2011 08:28 PM, Lubenski, Zeev [GCS] wrote:
We use EAP-TLS method, but in the Server Hello message don't want to send the certificate. How can it be disabled
It can't. EAP-TLS requires a server certificate and a client certificate. Neither are optional, and neither can be disabled. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 06/01/2011 09:07 PM, Lubenski, Zeev [GCS] wrote:
Paul
In the RFC 5216 I see: The EAP server will then respond with an EAP-Request packet with AP-Type=EAP-TLS. The data field of this packet will encapsulate one or more TLS records. These will contain a TLS server_hello handshake message, possibly followed by TLS certificate
This leads to believe that certificate is not mandatory ?
If you read just a few lines further on: """ If the EAP server is not resuming a previously established session, then it MUST include a TLS server_certificate handshake message, and a server_hello_done handshake message MUST be the last handshake message encapsulated in this EAP-Request packet. """ That is, a certificate is only "optional" if you're resuming an earlier session (which must itself have contained a certificate)
Paul Thanks a lot Regards Zeev -----Original Message----- From: freeradius-users-bounces+zlubensk=lgsinnovations.com@lists.freeradius.org [mailto:freeradius-users-bounces+zlubensk=lgsinnovations.com@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, June 01, 2011 3:15 PM To: freeradius-users@lists.freeradius.org Subject: Re: Server Sertificate On 06/01/2011 09:07 PM, Lubenski, Zeev [GCS] wrote:
Paul
In the RFC 5216 I see: The EAP server will then respond with an EAP-Request packet with AP-Type=EAP-TLS. The data field of this packet will encapsulate one or more TLS records. These will contain a TLS server_hello handshake message, possibly followed by TLS certificate
This leads to believe that certificate is not mandatory ?
If you read just a few lines further on: """ If the EAP server is not resuming a previously established session, then it MUST include a TLS server_certificate handshake message, and a server_hello_done handshake message MUST be the last handshake message encapsulated in this EAP-Request packet. """ That is, a certificate is only "optional" if you're resuming an earlier session (which must itself have contained a certificate) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lubenski, Zeev [GCS] <zlubensk@lgsinnovations.com> wrote:
This leads to believe that certificate is not mandatory ?
...which leads us to wonder why you want to use EAP-TLS? Probably best to answer: * what is it you are trying to do * how are you trying to accomplish it * what are you expecting to happen * what is actually happening Cheers -- Alexander Clouter .sigmonster says: You enjoy the company of other people.
Hi, Can you send me some sample Server.cnf and Client.cnf files. I am facing some problem with the certificates. Regards Senthil On Thu, Jun 2, 2011 at 1:51 AM, Alexander Clouter <alex@digriz.org.uk>wrote:
Lubenski, Zeev [GCS] <zlubensk@lgsinnovations.com> wrote:
This leads to believe that certificate is not mandatory ?
...which leads us to wonder why you want to use EAP-TLS?
Probably best to answer: * what is it you are trying to do * how are you trying to accomplish it * what are you expecting to happen * what is actually happening
Cheers
-- Alexander Clouter .sigmonster says: You enjoy the company of other people.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- "Adversity always presents opportunity for Introspection" Regards Senthil
participants (5)
-
Alan DeKok -
Alexander Clouter -
Lubenski, Zeev [GCS] -
Phil Mayers -
senthil kumar