About the file pointed at by setting "certificate_file"
Hello, Currently, I have in raddb/mods-available/eap the equivalent of: tls-config tls-common { private_key_password = whatever private_key_file = /path/to/my_server_key.pem # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. # # If ca_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = /path/to/my_server_cert.pem # Trusted Root CA list # # ALL of the CA's in this list will be trusted # to issue client certificates for authentication. # # In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate. # # This parameter is used only for EAP-TLS, # when you issue client certificates. If you do # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. ca_file = /path/to/my_root_ca_cert.pem where the server's certificate (my_server_cert.pem) has been signed with the help of an ad hoc root CA (whose certificate is my_root_ca_cert.pem). It "works", in the sense that a client connecting thru TTLS receives both certificates, which is exactly what I want. :-) Now, it is true that I currently don't implement TLS. Putting above comments together, it seems that I could thus comment out the "ca_file = ..." line, and merge both certificates, my_server_cert.pem and my_root_ca_cert.pem, into a single file, say "my_combined_certs". And then define: certificate_file = /path/to/my_combined_certs What format(s) is (are) allowed by FR for that file "my_combined_certs"? Would a simple cat of the two certificates (currently in PEM format) be sufficient? TIA, Axel
Axel Luttgens wrote:
It "works", in the sense that a client connecting thru TTLS receives both certificates, which is exactly what I want. :-)
OK.
Now, it is true that I currently don't implement TLS.
What does that mean? EAP-TLS is enabled in v3 by adding a "tls {...}" block to mods-available/eap. Then, creating client certificates and adding them to the clients.
Putting above comments together, it seems that I could thus comment out the "ca_file = ..." line, and merge both certificates, my_server_cert.pem and my_root_ca_cert.pem, into a single file, say "my_combined_certs". And then define: certificate_file = /path/to/my_combined_certs
To do what?
What format(s) is (are) allowed by FR for that file "my_combined_certs"?
Whatever formats are allowed by OpenSSL. FreeRADIUS doesn't implement SSL itself.
Would a simple cat of the two certificates (currently in PEM format) be sufficient?
How about trying it? Alan DeKok.
Le 8 sept. 2014 à 14:31, Alan DeKok a écrit :
Axel Luttgens wrote:
It "works", in the sense that a client connecting thru TTLS receives both certificates, which is exactly what I want. :-)
OK.
Now, it is true that I currently don't implement TLS.
What does that mean? EAP-TLS is enabled in v3 by adding a "tls {...}" block to mods-available/eap. Then, creating client certificates and adding them to the clients.
Hello Alan, Reading that part of the comments: # This parameter is used only for EAP-TLS, # when you issue client certificates. If you do # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. ca_file = /path/to/my_root_ca_cert.pem I was under the impression that EAP-TLS authentication attempts wouldn't be allowed by FR when commenting out the "ca_file = ..." line. Since I currently haven't made any provision for EAP-TLS (handling of client certificates and so on), this could perhaps be a good thing.
Putting above comments together, it seems that I could thus comment out the "ca_file = ..." line, and merge both certificates, my_server_cert.pem and my_root_ca_cert.pem, into a single file, say "my_combined_certs". And then define: certificate_file = /path/to/my_combined_certs
To do what?
Currently, to disallow EAP-TLS auths. Moreover, should I later decide to implement certificate-based authentications, this wouldn't happen thru certificates emitted by my ad hoc Root CA, but thru certificates emitted by an intermediary CA certified by my Root CA; my current "ca_file = ..." setting would thus be wrong anyway. Therfore, that comment: # If ca_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = /path/to/my_server_cert.pem seemed to support both the ideas of not having to worry now about EAP-TLS auth attempts and of having a config consistent with what might happen here in the future. Of course, my understanding of those comments may be completely wrong, and I thus wanted to get some feedback before erring in the dark...
[...]
Would a simple cat of the two certificates (currently in PEM format) be sufficient?
How about trying it?
Yes, of course. ;-) Axel
Axel Luttgens wrote:
Reading that part of the comments:
Those comments are old, and don't apply to v3. I've removed them.
I was under the impression that EAP-TLS authentication attempts wouldn't be allowed by FR when commenting out the "ca_file = ..." line.
I was under the impression that I already described how EAP-TLS works in v3.
Since I currently haven't made any provision for EAP-TLS (handling of client certificates and so on), this could perhaps be a good thing.
I already said EAP-TLS works by creating client certs. If you're not creating client certs, then EAP-TLS won't work. Please READ my messages. Alan DeKok.
Le 8 sept. 2014 à 15:33, Alan DeKok a écrit :
[...] Please READ my messages.
But... I read them. :-) And that's why I tried to carefully explain my reasonings having lead to my (now known to be wrong) conclusions, as well as to answer your question. Thanks for having removed the obsolete comments. Axel
Axel Luttgens wrote:
But... I read them. :-)
That wasn't clear.
And that's why I tried to carefully explain my reasonings having lead to my (now known to be wrong) conclusions,
Which is not helpful. You say : I think it's X I say : No, it's really Y You say : But I really think it's X! At best, such comments are redundant. I ALREADY KNOW what you think. I read your messages. If you repeat yourself, it comes across as if you're arguing with me, OR that you think I didn't read your message, so you need to repeat yourself. It's annoying, and wastes everyone's time. A better response would be "OK, I understand". Alan DeKok.
Le 8 sept. 2014 à 14:52, A.L.M.Buxey@lboro.ac.uk a écrit :
Hi,
Putting above comments together, it seems that I could thus comment out the "ca_file = ..." line,
correct
Hello Alan, Thanks for confirming that point.
Would a simple cat of the two certificates (currently in PEM format) be sufficient?
yes
Hmm, that would be nice. Any recommended ordering in the file (eg Root CA certificate first, then the server's one)? Axel
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Axel Luttgens