EAP-TLS with TLS 1.3

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Mar 13 19:20:35 CET 2018

> On Mar 13, 2018, at 7:00 AM, Stefan Winter <stefan.winter at RESTENA.LU> wrote:
> Hi,
> so, with a bit of luck, this needs just a new config option in
> modules/eap to allow specifying more than one certificate; and a small
> amount of code to load both certs.


Pretty much.  Due to the way OpenSSL validates private/public key pairs (see SSL_CTX_check_private_key - https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_use_certificate.html) the certificate and private_key need to be loaded consecutively so it’s better to specify them together in a configuration stanza, then allow multiple instances of that stanza.

certificate {
	pem_file_type = yes
	certificate_file = “<path>”
	private_key_password = “<password>"
	private_key_file = “<path>"

Using multiple certificate stanzas also allows different passwords to be specified for different pairs, and a mixture of ASN1 and PEM certs.

One thing that i’m slightly unsure of is whether we should allow multiple key pairs on the client side too (I did for completeness), presumably crypto agility can be utilised by both TLS peers?

Not back porting this to v3.  The config parser isn’t sophisticated enough to so the same dynamic structure allocation, and it’d be a breaking change.


More information about the Freeradius-Devel mailing list