Support for SSL_MODE_NO_AUTO_CHAIN

Chenggang Tang (chentang) chentang at cisco.com
Tue Oct 20 08:53:28 CEST 2015


Hi all,

Currently freeradius seems not supporting SSL_MODE_NO_AUTO_CHAIN.
However, in some situations, that is needed.

Following is the patch we used to enable that support in our work.

Please consider to add this to code repository.

Thanks a lot!


--------------------------------------------------------------------------------
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 10026ec..5c3d0bf 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -264,6 +264,8 @@ eap {
 		#
 	#	include_length = yes
 
+	#	enable_auto_chain = yes
+
 		#  Check the Certificate Revocation List
 		#
 		#  1) Copy CA certificates and CRLs to same directory.
diff --git a/src/include/tls-h b/src/include/tls-h
index a41c6f5..f4345fd 100644
--- a/src/include/tls-h
+++ b/src/include/tls-h
@@ -338,6 +338,7 @@ struct fr_tls_server_conf_t {
 	uint32_t	verify_depth;
 	bool		file_type;
 	bool		include_length;
+	bool		enable_auto_chain;
 	bool		disable_tlsv1;
 	bool		disable_tlsv1_1;
 	bool		disable_tlsv1_2;
diff --git a/src/main/tls.c b/src/main/tls.c
index 9df48b4..caa8713 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -998,6 +998,7 @@ static CONF_PARSER tls_server_config[] = {
 	{ "random_file", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, random_file), NULL },
 	{ "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, fr_tls_server_conf_t, fragment_size), "1024" },
 	{ "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, include_length), "yes" },
+	{ "enable_auto_chain", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, enable_auto_chain), "yes" },
 	{ "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_crl), "no" },
 #ifdef X509_V_FLAG_CRL_CHECK_ALL
 	{ "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, check_all_crl), "no" },
@@ -2565,6 +2566,10 @@ post_ca:
 #endif
 #endif
 
+	if (!conf->enable_auto_chain) {
+		SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN);
+	}
+
 	/* Set Info callback */
 	SSL_CTX_set_info_callback(ctx, cbtls_info);
 

--------------------------------------------------------------------------------

-- 
Best Regards,
Chenggang Tang | 汤承刚



More information about the Freeradius-Devel mailing list