EAP-TLS with TLS 1.3

Adam Bishop Adam.Bishop at jisc.ac.uk
Tue Mar 13 01:18:16 CET 2018

On 12 Mar 2018, at 16:41, Adam Bishop <Adam.Bishop at jisc.ac.uk> wrote:
> On 12 Mar 2018, at 12:01, Alan DeKok <aland at deployingradius.com> wrote:
>> If anyone can take a look at how Apache does it, that would help.  Simply knowing which OpenSSL calls to do, and in what order, will solve 99% of the problem.
> I looked at the changes from NGINX - they wrap all of openssl's method calls, but it looks like you "just" call the OpenSSL api call that adds a key pair multiple times.

mod_ssl is 100x less concise than NGINX, but the same seems to happen. Unfortunately they don't have a single changes when support was added - key agility support magically appears in this refactor:

Same rough process, except much more verbose and then followed by a ton of alternative key loading mechanisms. I can't find any evidence that the ctx is initialised - the only requirement seems to be openssl 1.0.2+.

Loop over the configuration array:

Call load cert:

Call load key:

Rinse, repeat.

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460


Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  

More information about the Freeradius-Devel mailing list