EAP TLS against multiple certificates?
Hi, Is it possible to check EAP-TLS against multiple certificate chains, or bundle two chains together into the same pem file? We have a potential problem where all our certificate auth laptops have been using SHA1 for quite some time. Recently we upgraded our certificate authority to SHA256, so any laptops that request a new cert will get a SHA256. If I put a SHA256 root chain certificate in the EAP-TLS config then a SHA256 client can authenticate, but naturally SHA1 can not. If I leave the SHA1 root chain on the server, then the newer SHA256 clients can not authenticate. I am worried that one day I will come in to find half the clients have renewed to a SHA256 and can no longer auth. Is there anything I can do to allow both certificate types to authenticate during this transition period? In terms of config, in mods-enabled/eap, I have tls-config loanlaptops { private_key_file = ${confdir}/certs/loan_laptop_server.pem certificate_file = ${confdir}/certs/loan_laptop_server.pem ca_file = ${confdir}/certs/unikentrootCAchain.pem ...... } tls { # Point to the Loan Laptops TLS configuration tls = loanlaptops virtual_server = check-eap-tls } Yours Dave Hartburn
On Mar 31, 2017, at 7:02 AM, David Hartburn <D.J.Hartburn@kent.ac.uk> wrote:
Is it possible to check EAP-TLS against multiple certificate chains, or bundle two chains together into the same pem file?
See the comments for "ca_file" in the default build. The question is answered there.
In terms of config, in mods-enabled/eap, I have tls-config loanlaptops { private_key_file = ${confdir}/certs/loan_laptop_server.pem certificate_file = ${confdir}/certs/loan_laptop_server.pem ca_file = ${confdir}/certs/unikentrootCAchain.pem
Removing all of the comments makes the configuration smaller, it can also make it harder to understand. Alan DeKok.
Hi, I failed to get anywhere with this problem and it looks like a lot of our laptops are broken as we are running a mix of SHA1 and SHA256 client certificates all of a sudden. I remove the comments from the config snipped I posted to make it more readable for the list, but they do exist in my original configuration. # In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate. To me this suggests it is not possible to have more than one certificate. Is this correct? If so, any suggestions on how we can solve this issue or is it a case of finding every SHA1 client and forcing them to update their cert? The ideal solution would be to be able to support a SHA1 chain and a SHA256 chain as a migratory step, dropping the SHA1 in the near future. The only other option was to have a 'change day' when both the servers and clients all changed. It looks like that change day may have unexpectedly become today! David On 31/03/17 12:49, Alan DeKok wrote:
On Mar 31, 2017, at 7:02 AM, David Hartburn <D.J.Hartburn@kent.ac.uk> wrote:
Is it possible to check EAP-TLS against multiple certificate chains, or bundle two chains together into the same pem file?
See the comments for "ca_file" in the default build. The question is answered there.
In terms of config, in mods-enabled/eap, I have tls-config loanlaptops { private_key_file = ${confdir}/certs/loan_laptop_server.pem certificate_file = ${confdir}/certs/loan_laptop_server.pem ca_file = ${confdir}/certs/unikentrootCAchain.pem
Removing all of the comments makes the configuration smaller, it can also make it harder to understand.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 3, 2017, at 9:36 AM, David Hartburn <D.J.Hartburn@kent.ac.uk> wrote:
I remove the comments from the config snipped I posted to make it more readable for the list, but they do exist in my original configuration.
# In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate.
To me this suggests it is not possible to have more than one certificate. Is this correct?
No. It suggests that in some cases you want to use one CA cert. In other cases, you can use multiple CA certs.
If so, any suggestions on how we can solve this issue or is it a case of finding every SHA1 client and forcing them to update their cert?
What cert is where? Do you mean the clients are using certs with SHA1? Or the CA cert? Please be specific. And either way, the only way to upgrade the client (client cert or CA cert) is to put the new certs onto the client.
The ideal solution would be to be able to support a SHA1 chain and a SHA256 chain as a migratory step, dropping the SHA1 in the near future. The only other option was to have a 'change day' when both the servers and clients all changed. It looks like that change day may have unexpectedly become today!
You can use multiple CA certs. Alan DeKok.
Hi, The clients had SHA1 certs and the FreeRADIUS server has a SHA1 chain. Clients have just started to upgrade to SHA256 certificates which fail when authing against the SHA1 chain on the server. I have generated on our dev server a SHA256 chain, which will allow those clients which have updated to authenticate, but it will lock out those which still have SHA1. If it is possible to use both types of chain, how do I go about that? It does not look like you can have two ca_file entries in the eap tls-config section. Is it possible to cat the two server files into a single file pointed to by ca_file and have it work that way? David On 03/05/17 15:14, Alan DeKok wrote:
On May 3, 2017, at 9:36 AM, David Hartburn <D.J.Hartburn@kent.ac.uk> wrote:
I remove the comments from the config snipped I posted to make it more readable for the list, but they do exist in my original configuration.
# In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate.
To me this suggests it is not possible to have more than one certificate. Is this correct?
No. It suggests that in some cases you want to use one CA cert. In other cases, you can use multiple CA certs.
If so, any suggestions on how we can solve this issue or is it a case of finding every SHA1 client and forcing them to update their cert?
What cert is where? Do you mean the clients are using certs with SHA1? Or the CA cert? Please be specific.
And either way, the only way to upgrade the client (client cert or CA cert) is to put the new certs onto the client.
The ideal solution would be to be able to support a SHA1 chain and a SHA256 chain as a migratory step, dropping the SHA1 in the near future. The only other option was to have a 'change day' when both the servers and clients all changed. It looks like that change day may have unexpectedly become today!
You can use multiple CA certs.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 3, 2017, at 10:34 AM, David Hartburn <D.J.Hartburn@kent.ac.uk> wrote:
The clients had SHA1 certs and the FreeRADIUS server has a SHA1 chain.
Clients have just started to upgrade to SHA256 certificates which fail when authing against the SHA1 chain on the server.
Which makes sense. The clients need to be able to validate the CA and server certs.
I have generated on our dev server a SHA256 chain, which will allow those clients which have updated to authenticate, but it will lock out those which still have SHA1.
No, it won't.
If it is possible to use both types of chain, how do I go about that? It does not look like you can have two ca_file entries in the eap tls-config section. Is it possible to cat the two server files into a single file pointed to by ca_file and have it work that way?
You can just put all of the certificate chains into one file. Alan DeKok.
participants (2)
-
Alan DeKok -
David Hartburn