EAP-TLS with TLS 1.3

Adam Bishop Adam.Bishop at jisc.ac.uk
Tue Mar 13 01:18:16 CET 2018 

On 12 Mar 2018, at 16:41, Adam Bishop <Adam.Bishop at jisc.ac.uk> wrote:
> On 12 Mar 2018, at 12:01, Alan DeKok <aland at deployingradius.com> wrote:
>> If anyone can take a look at how Apache does it, that would help.  Simply knowing which OpenSSL calls to do, and in what order, will solve 99% of the problem.
> 
> I looked at the changes from NGINX - they wrap all of openssl's method calls, but it looks like you "just" call the OpenSSL api call that adds a key pair multiple times.

mod_ssl is 100x less concise than NGINX, but the same seems to happen. Unfortunately they don't have a single changes when support was added - key agility support magically appears in this refactor:
  https://github.com/apache/httpd/commit/d2344cb7ea7585f4c413045f2b1189802d8de28e

Same rough process, except much more verbose and then followed by a ton of alternative key loading mechanisms. I can't find any evidence that the ctx is initialised - the only requirement seems to be openssl 1.0.2+.

Loop over the configuration array:
  https://github.com/apache/httpd/blob/2b9e9b4c4226c22d9f5c489661507e7547de051c/modules/ssl/ssl_engine_init.c#L1223-L1226

Call load cert:
  https://github.com/apache/httpd/blob/2b9e9b4c4226c22d9f5c489661507e7547de051c/modules/ssl/ssl_engine_init.c#L1242-L1249

Call load key:
  https://github.com/apache/httpd/blob/2b9e9b4c4226c22d9f5c489661507e7547de051c/modules/ssl/ssl_engine_init.c#L1261-L1284

Rinse, repeat.

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

More information about the Freeradius-Devel mailing list