EAP-TLS cert validation with intermediate cert
In /etc/raddb/mods-enabled/eap client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}" Wpa_supplicant is sending a client certificate that is the client + intermediate certificate concatenated. However freeradius only gets the client certificate in TLS-Client-Cert-Filename and openssl fails validation. I checked this by changing the client = verify command to copy the certificate to /var/tmp so I could look at it. I can verify the cert using openssl verify -CAfile ca.pem -untrusted intermediate.pem client.pem but the intermediate is not available to the radius server, or from the received cert chain from the client. I think freeradius should be receiving client+intermediate certs from wpa_client, but it's not. Is there another Filename variable containing the intermediate? Why is freeradius truncating the cert to only the client and removing the intermediate? freeradius 3.0.13
On Sep 26, 2018, at 3:09 PM, Zetan Drableg <zetan.drableg@gmail.com> wrote:
In /etc/raddb/mods-enabled/eap client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
Wpa_supplicant is sending a client certificate that is the client + intermediate certificate concatenated. However freeradius only gets the client certificate in TLS-Client-Cert-Filename and openssl fails validation. I checked this by changing the client = verify command to copy the certificate to /var/tmp so I could look at it.
Yes. Only the client certificate is written to that file.
I can verify the cert using openssl verify -CAfile ca.pem -untrusted intermediate.pem client.pem but the intermediate is not available to the radius server, or from the received cert chain from the client. I think freeradius should be receiving client+intermediate certs from wpa_client, but it's not.
It is receiving both certs, but it's only writing the client cert to the file.
Is there another Filename variable containing the intermediate?
No. If there was one, it would be documented.
Why is freeradius truncating the cert to only the client and removing the intermediate?
It's not truncating the cert. It's not removing the intermediate. It's writing (as per the documentation) the client cert to the file. It doesn't write the intermediate cert to the file. The short solution is to ensure that the intermediate certs are *already* available in the certificate store used by FreeRADIUS. Alan DeKok.
participants (2)
-
Alan DeKok -
Zetan Drableg