I now have 2.1.10 compiled and running. It seems to work fine. I did have to make one change to my configuration. I had been using CA_path to refer to the certificates which can authenticate clients for EAP-TLS authentication in 2.1.8. In 2.1.10, that doesn't seem to work. If I specify a single file via CA_file that works fine. I can manage either way I think since the file referenced in CA_file can contain multiple certificates. I did verify that I had run 'c_rehash' in my CA_path directory. I'm not sure why CA_path doesn't work since the OpenSSL docs indicate that they are largely interchangable. Is it an intentional change? I didn't see anything in the ChangeLog about it. -David -- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | -----------------------------------------------------------------
David Mitchell wrote:
I now have 2.1.10 compiled and running. It seems to work fine. I did have to make one change to my configuration. I had been using CA_path to refer to the certificates which can authenticate clients for EAP-TLS authentication in 2.1.8. In 2.1.10, that doesn't seem to work. If I specify a single file via CA_file that works fine. I can manage either way I think since the file referenced in CA_file can contain multiple certificates. I did verify that I had run 'c_rehash' in my CA_path directory. I'm not sure why CA_path doesn't work since the OpenSSL docs indicate that they are largely interchangable. Is it an intentional change?
Nope. It's not an intentional change. I don't know why it would be different. Alan DeKok.
Alan DeKok wrote:
David Mitchell wrote:
I now have 2.1.10 compiled and running. It seems to work fine. I did have to make one change to my configuration. I had been using CA_path to refer to the certificates which can authenticate clients for EAP-TLS authentication in 2.1.8. In 2.1.10, that doesn't seem to work. If I specify a single file via CA_file that works fine. I can manage either way I think since the file referenced in CA_file can contain multiple certificates. I did verify that I had run 'c_rehash' in my CA_path directory. I'm not sure why CA_path doesn't work since the OpenSSL docs indicate that they are largely interchangable. Is it an intentional change?
Nope. It's not an intentional change. I don't know why it would be different.
I did change OpenSSL versions as well so I can't say for sure that it has anything to do with FreeRadius. I'll try and poke around some and see if I can figure out what's going on. Thanks for confirming it wasn't meant to change. -David
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | -----------------------------------------------------------------
David Mitchell wrote:
Alan DeKok wrote:
David Mitchell wrote:
I now have 2.1.10 compiled and running. It seems to work fine. I did have to make one change to my configuration. I had been using CA_path to refer to the certificates which can authenticate clients for EAP-TLS authentication in 2.1.8. In 2.1.10, that doesn't seem to work. If I specify a single file via CA_file that works fine. I can manage either way I think since the file referenced in CA_file can contain multiple certificates. I did verify that I had run 'c_rehash' in my CA_path directory. I'm not sure why CA_path doesn't work since the OpenSSL docs indicate that they are largely interchangable. Is it an intentional change? Nope. It's not an intentional change. I don't know why it would be different.
I did change OpenSSL versions as well so I can't say for sure that it has anything to do with FreeRadius. I'll try and poke around some and see if I can figure out what's going on. Thanks for confirming it wasn't meant to change.
I've done some recompiling and I believe that the new behavior is due to the new version of OpenSSL. If I compile FreeRadius using the default Debian OpenSSL (0.9.8g) I can use CA_path as expected. Compiling FreeRadius and specifying the locally installed OpenSSL 1.0.0a results in CA_path not working. In both cases I was compiling FR 2.1.9. I have not dug into the OpenSSL code. I've looked in there before and it scares me ;-) -David
-David
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ----------------------------------------------------------------- | David Mitchell (mitchell@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | -----------------------------------------------------------------
participants (2)
-
Alan DeKok -
David Mitchell