Not sending all trusted CA Certificates in EAP-TLS Server Hello
Hi! We are using 802.1X EAP TTLS to Authenticate Phones in our network. It is working, but after seeing a tcpdump, the Radius Server is sending all known CA Certificates to the Client during EAP TLS Negotiation. Our Config looks like this: private_key_file = ${certdir}/radius_server.key Containing the private Key of the Radius Server certificate_file = ${certdir}/radius_server.crt This contains the radius certificate and the corresponding self-signed CA certificate. CA_file = ${cadir}/trusted_ca.pem Contains different sub-CA certifikates and the self-signed root certificate of the sub-CA used to issue client certs (!= server cert) During EAP-TLS negotiation the Radius Server sends all known certificates (the ones in the certificate_file and the one in the CA_file) to the client. Is it possible to change the behaviour that only the certs in the certificate_file are used? This should be enough for the clients to verify the server certificate. -- Regards Daniel Finger
Daniel Finger wrote:
We are using 802.1X EAP TTLS to Authenticate Phones in our network. It is working, but after seeing a tcpdump, the Radius Server is sending all known CA Certificates to the Client during EAP TLS Negotiation.
That's largely how EAP-TLS works.
CA_file = ${cadir}/trusted_ca.pem Contains different sub-CA certifikates and the self-signed root certificate of the sub-CA used to issue client certs (!= server cert)
During EAP-TLS negotiation the Radius Server sends all known certificates (the ones in the certificate_file and the one in the CA_file) to the client.
Is it possible to change the behaviour that only the certs in the certificate_file are used?
Use CA_path instead of CA_file. That might help. Alan DeKok.
Hi! As far as I can see the Server does not send the full certificates, but only announces the certificates the server knows. I did not read the RFC yet, but I assume that this only informs the client which certificates can be requested to verify the server certificate chain. Am 04.01.2012 15:09, schrieb Alan DeKok:
Is it possible to change the behaviour that only the certs in the certificate_file are used?
Use CA_path instead of CA_file. That might help.
It does indeed help. Thanks! -- Regards Daniel Finger
participants (2)
-
Alan DeKok -
Daniel Finger