EAP-TLS with TLS 1.3

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Mar 15 20:55:34 CET 2018

> On Mar 15, 2018, at 7:22 PM, Alan Buxey <alan.buxey at gmail.com> wrote:
> nice...its about time some nice debug output was provided to show what
> was being read and created.   question, can we have an option to
> send the CA to the client as well (just for completeness, to ensure
> current capabilities (and to deal with older horrible clients) arent
> lost?

Already there :)

chain {

	#  Only available with OpenSSL >= 1.0.2
	#  Omit the Root CA from the compiled certificate chain.
	#  The Root CA should already be known/trusted by the client so it is
	#  usually not needed unless the client is particularly poorly behaved.
	#  Note: The Root CA must still be available for chain compilation to
	#  succeed even if "include_root_ca = no".
	include_root_ca = yes

https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/mods-available/eap#L193 <https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/mods-available/eap#L193>

The debug output will reflect exactly what certs will be sent, so toggling it you’ll see an extra cert appearing/disappearing.


More information about the Freeradius-Devel mailing list