EAP-TLS with TLS 1.3

Adam Bishop Adam.Bishop at jisc.ac.uk
Mon Mar 12 17:41:41 CET 2018


On 12 Mar 2018, at 12:01, Alan DeKok <aland at deployingradius.com> wrote:
>  If anyone can take a look at how Apache does it, that would help.  Simply knowing which OpenSSL calls to do, and in what order, will solve 99% of the problem.

I looked at the changes from NGINX - they wrap all of openssl's method calls, but it looks like you "just" call the OpenSSL api call that adds a key pair multiple times.

  https://trac.nginx.org/nginx/changeset/51e1f047d15d5602a8250dfe9192d0eae71e6fcc/nginx

The changes adds a method that accepts an array of certs, which then iterates over the array calling the single certificate version each time.

The only sticking point looks to be how to handle the certificate chain - they have a comment about that:
  https://github.com/nginx/nginx/blob/ed0cc4d52308b75ab217724392994e6828af4fda/src/event/ngx_event_openssl.c#L474-L478 

It looks deceptively simple, for OpenSSL.

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  




More information about the Freeradius-Devel mailing list