EAP-TLS with TLS 1.3
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Mar 15 20:55:34 CET 2018
> On Mar 15, 2018, at 7:22 PM, Alan Buxey <alan.buxey at gmail.com> wrote:
>
> nice...its about time some nice debug output was provided to show what
> was being read and created. question, can we have an option to
> send the CA to the client as well (just for completeness, to ensure
> current capabilities (and to deal with older horrible clients) arent
> lost?
Already there :)
chain {
…
#
# Only available with OpenSSL >= 1.0.2
#
# Omit the Root CA from the compiled certificate chain.
# The Root CA should already be known/trusted by the client so it is
# usually not needed unless the client is particularly poorly behaved.
#
# Note: The Root CA must still be available for chain compilation to
# succeed even if "include_root_ca = no".
#
include_root_ca = yes
}
https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/mods-available/eap#L193 <https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/mods-available/eap#L193>
The debug output will reflect exactly what certs will be sent, so toggling it you’ll see an extra cert appearing/disappearing.
-Arran
More information about the Freeradius-Devel
mailing list