EAP-TLS with TLS 1.3

Stefan Winter stefan.winter at restena.lu
Wed Mar 14 08:23:08 CET 2018


> One thing that i’m slightly unsure of is whether we should allow multiple key pairs on the client side too (I did for completeness), presumably crypto agility can be utilised by both TLS peers?

I don't think that's necessary: for client cert validation, you don't
need private keys and can already use the _dir option if you have more
than one CA.

So you just put roots of all variety into one directory, and tell FR to
validate incoming certs from that directory. So long as the matching
root (and intermediates maybe) is in there at all, a chain leading to it
can be found.

It's the standard and working since a decade way of handling multi
roots. So I'd rather not have new code if there's a way without.


Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20180314/2cf9ac85/attachment.sig>

More information about the Freeradius-Devel mailing list