Re : Sending CA certificate during EAP-TLS
Well in my current configuration I have the RADIUS server certificate in certificate_file and CA certificate in CA_file. But with that configuration , the radius server is still sending the CA certificate. The CA_path folder is empty and the CA_file is commented out. This should work for you. tls { # # These is used to simplify later configurations. # certdir = ${raddbdir}/certs cadir = ${raddbdir}/certs/trustedCA private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem # Trusted Root CA list - CA_path folder is empty # CA_file = ${cadir}/ca.pem CA_path = ${raddbdir}/certs/trustedCA dh_file = ${certdir}/dh random_file = ${certdir}/random # fragment_size = 1024 # include_length = yes # check_crl = yes # check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd" # check_cert_cn = %{User-Name} # # Set this option to specify the allowed # TLS cipher suites. The format is listed # in "man 1 ciphers". cipher_list = "DEFAULT" #make_cert_command = "${certdir}/bootstrap" } ================================================== Benjamin K. Eshun ----- Message d'origine ---- De : Rafa Marín López <rafa.marinlopez@gmail.com> À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc : Rafa Marin Lopez <rafa@dif.um.es> Envoyé le : Mercredi, 20 Juin 2007, 18h10mn 12s Objet : Re: Sending CA certificate during EAP-TLS Reimer Karlsen-Masur, DFN-CERT escribió: Hi Karlsen, thanks for the answer, please see inline...
Argh, your misunderstanding is because of the inline documentation/default setup of the eap config file.
*Trusted* CAs for client auth are stored in
CA_file
or
CA_path
So there is no conflict here with certificate_file option.
And IMO usually CA_file and certificate_file should *not* contain the same CA certs
Well in my current configuration I have the RADIUS server certificate in certificate_file and CA certificate in CA_file. But with that configuration , the radius server is still sending the CA certificate. Having said that , your proposal was to not include the CA certificate in the RADIUS server certificate (in certificate_file variable) My RADIUS server certificate does not have the CA certificate included. Even so, the RADIUS server is including the CA certificate :(... any alternative solution?.
because I guess in the majority of cases the RADIUS server cert is issued by some (commercial) server CA where as the client certs are mostly issued by some home grown user CA.
Saying that there might be cases where the CA certificates from CA_file are indeed the CA chain certs of the RADIUS server certificate.....
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _____________________________________________________________________________ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
Hi. Eshun Benjamin wrote:
Well in my current configuration I have the RADIUS server certificate in certificate_file and CA certificate in CA_file.
But with that configuration , the radius server is still sending the CA certificate.
The CA_path folder is empty and the CA_file is commented out. This should work for you.
tls { # # These is used to simplify later configurations. # certdir = ${raddbdir}/certs cadir = ${raddbdir}/certs/trustedCA
private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem
# Trusted Root CA list - CA_path folder is empty # CA_file = ${cadir}/ca.pem CA_path = ${raddbdir}/certs/trustedCA
If the configuration is as minimal as suggested (no chain certificates in certificate_file) and FreeRadius is still sending the complete server CA chain build, this must be some FreeRadius magic.... How do you check if FreeRadius is actually sending the chain? -- Beste Gruesse / Kind Regards Reimer Karlsen-Masur DFN-PKI FAQ: https://www.pki.dfn.de/faqpki -- Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
participants (2)
-
Eshun Benjamin -
Reimer Karlsen-Masur, DFN-CERT