Solving the SSL problem in CVS head

Alan DeKok aland at
Wed Apr 25 12:01:44 CEST 2007

  I had an idea on the way home last night.  It's now implemented, and
it's pretty cool.

  In eap.conf, the tls, ttls, and peap sections are now enabled in the
default install.

  The EAP module ignores them if OpenSSL wasn't found during the build.

  The tls module now has a configuration entry "make_cert_command".

  raddb/certs/bootstrap is a shell script that runs "make".

  On initial boot in debugging mode after "make install", the server
loads the tls module (if OpenSSL was found).  The TLS module sees that
there's a "make_cert_command", and it's in debugging mode, and no server
certificate exists.

  It then runs the "make_cert_command" to create the certificates, and
continues with its normal startup.

  This means that all of the annoying fighting with stupid certificates
to get EAP-TLS to work is *gone*.  Just install OpenSSL, install the
server, and start the server.  EAP-TLS, TTLS, and PEAP will Just Work.

  This makes me happy.  It should make the server MUCH easier to deploy.

  Alan DeKok.
--       - The web site of the book - The blog

More information about the Freeradius-Devel mailing list