Support for SSL_MODE_NO_AUTO_CHAIN

Jorge Pereira jpereiran at gmail.com
Tue Oct 20 15:00:42 CEST 2015 

Hi Chenggang,

I believe that would be better to send your request through the Github
https://github.com/FreeRADIUS/freeradius-server/pulls

--
Jorge Pereira

On Tue, Oct 20, 2015 at 4:53 AM, Chenggang Tang (chentang) <
chentang at cisco.com> wrote:

> Hi all,
>
> Currently freeradius seems not supporting SSL_MODE_NO_AUTO_CHAIN.
> However, in some situations, that is needed.
>
> Following is the patch we used to enable that support in our work.
>
> Please consider to add this to code repository.
>
> Thanks a lot!
>
>
>
> --------------------------------------------------------------------------------
> diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
> index 10026ec..5c3d0bf 100644
> --- a/raddb/mods-available/eap
> +++ b/raddb/mods-available/eap
> @@ -264,6 +264,8 @@ eap {
>                 #
>         #       include_length = yes
>
> +       #       enable_auto_chain = yes
> +
>                 #  Check the Certificate Revocation List
>                 #
>                 #  1) Copy CA certificates and CRLs to same directory.
> diff --git a/src/include/tls-h b/src/include/tls-h
> index a41c6f5..f4345fd 100644
> --- a/src/include/tls-h
> +++ b/src/include/tls-h
> @@ -338,6 +338,7 @@ struct fr_tls_server_conf_t {
>         uint32_t        verify_depth;
>         bool            file_type;
>         bool            include_length;
> +       bool            enable_auto_chain;
>         bool            disable_tlsv1;
>         bool            disable_tlsv1_1;
>         bool            disable_tlsv1_2;
> diff --git a/src/main/tls.c b/src/main/tls.c
> index 9df48b4..caa8713 100644
> --- a/src/main/tls.c
> +++ b/src/main/tls.c
> @@ -998,6 +998,7 @@ static CONF_PARSER tls_server_config[] = {
>         { "random_file", FR_CONF_OFFSET(PW_TYPE_STRING,
> fr_tls_server_conf_t, random_file), NULL },
>         { "fragment_size", FR_CONF_OFFSET(PW_TYPE_INTEGER,
> fr_tls_server_conf_t, fragment_size), "1024" },
>         { "include_length", FR_CONF_OFFSET(PW_TYPE_BOOLEAN,
> fr_tls_server_conf_t, include_length), "yes" },
> +       { "enable_auto_chain", FR_CONF_OFFSET(PW_TYPE_BOOLEAN,
> fr_tls_server_conf_t, enable_auto_chain), "yes" },
>         { "check_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN,
> fr_tls_server_conf_t, check_crl), "no" },
>  #ifdef X509_V_FLAG_CRL_CHECK_ALL
>         { "check_all_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN,
> fr_tls_server_conf_t, check_all_crl), "no" },
> @@ -2565,6 +2566,10 @@ post_ca:
>  #endif
>  #endif
>
> +       if (!conf->enable_auto_chain) {
> +               SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN);
> +       }
> +
>         /* Set Info callback */
>         SSL_CTX_set_info_callback(ctx, cbtls_info);
>
>
>
> --------------------------------------------------------------------------------
>
> --
> Best Regards,
> Chenggang Tang | 汤承刚
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/devel.html

More information about the Freeradius-Devel mailing list