EAP-TLS with TLS 1.3

Alan Buxey alan.buxey at gmail.com
Thu Mar 15 22:14:59 CET 2018


thx!

alan

On 15 March 2018 at 19:55, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>
>
>> On Mar 15, 2018, at 7:22 PM, Alan Buxey <alan.buxey at gmail.com> wrote:
>>
>> nice...its about time some nice debug output was provided to show what
>> was being read and created.   question, can we have an option to
>> send the CA to the client as well (just for completeness, to ensure
>> current capabilities (and to deal with older horrible clients) arent
>> lost?
>
> Already there :)
>
> chain {
>>
>         #
>         #  Only available with OpenSSL >= 1.0.2
>         #
>         #  Omit the Root CA from the compiled certificate chain.
>         #  The Root CA should already be known/trusted by the client so it is
>         #  usually not needed unless the client is particularly poorly behaved.
>         #
>         #  Note: The Root CA must still be available for chain compilation to
>         #  succeed even if "include_root_ca = no".
>         #
>         include_root_ca = yes
> }
>
> https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/mods-available/eap#L193 <https://github.com/FreeRADIUS/freeradius-server/blob/v4.0.x/raddb/mods-available/eap#L193>
>
> The debug output will reflect exactly what certs will be sent, so toggling it you’ll see an extra cert appearing/disappearing.
>
> -Arran
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html



More information about the Freeradius-Devel mailing list