EAP-TLS with TLS 1.3
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Tue Mar 13 19:20:35 CET 2018
> On Mar 13, 2018, at 7:00 AM, Stefan Winter <stefan.winter at RESTENA.LU> wrote:
>
> Hi,
>
> so, with a bit of luck, this needs just a new config option in
> modules/eap to allow specifying more than one certificate; and a small
> amount of code to load both certs.
https://github.com/FreeRADIUS/freeradius-server/commit/e8df16d097c961ee80dd23f85965d74b27849126
Pretty much. Due to the way OpenSSL validates private/public key pairs (see SSL_CTX_check_private_key - https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_use_certificate.html) the certificate and private_key need to be loaded consecutively so it’s better to specify them together in a configuration stanza, then allow multiple instances of that stanza.
certificate {
pem_file_type = yes
certificate_file = “<path>”
private_key_password = “<password>"
private_key_file = “<path>"
}
Using multiple certificate stanzas also allows different passwords to be specified for different pairs, and a mixture of ASN1 and PEM certs.
One thing that i’m slightly unsure of is whether we should allow multiple key pairs on the client side too (I did for completeness), presumably crypto agility can be utilised by both TLS peers?
Not back porting this to v3. The config parser isn’t sophisticated enough to so the same dynamic structure allocation, and it’d be a breaking change.
-Arran
More information about the Freeradius-Devel
mailing list