Sending CA certificate during EAP-TLS
Eshun Benjamin
bkeshun at yahoo.fr
Wed Jun 20 19:18:24 CEST 2007
Well in my current configuration I have the RADIUS server certificate in
certificate_file and CA certificate in CA_file.
But with that configuration , the radius server is still sending the CA
certificate.
The CA_path folder is empty and the CA_file is commented out. This should work for you.
tls {
#
# These is used to simplify later configurations.
#
certdir = ${raddbdir}/certs
cadir = ${raddbdir}/certs/trustedCA
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
# Trusted Root CA list - CA_path folder is empty
# CA_file = ${cadir}/ca.pem
CA_path = ${raddbdir}/certs/trustedCA
dh_file = ${certdir}/dh
random_file = ${certdir}/random
# fragment_size = 1024
# include_length = yes
# check_crl = yes
# check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
# check_cert_cn = %{User-Name}
#
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".
cipher_list = "DEFAULT"
#make_cert_command = "${certdir}/bootstrap"
}
==================================================
Benjamin K. Eshun
----- Message d'origine ----
De : Rafa Marín López <rafa.marinlopez at gmail.com>
À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc : Rafa Marin Lopez <rafa at dif.um.es>
Envoyé le : Mercredi, 20 Juin 2007, 18h10mn 12s
Objet : Re: Sending CA certificate during EAP-TLS
Reimer Karlsen-Masur, DFN-CERT escribió:
Hi Karlsen,
thanks for the answer, please see inline...
>
> Argh, your misunderstanding is because of the inline
> documentation/default setup of the eap config file.
>
> *Trusted* CAs for client auth are stored in
>
> CA_file
>
> or
>
> CA_path
>
> So there is no conflict here with certificate_file option.
>
> And IMO usually CA_file and certificate_file should *not* contain the
> same CA certs
Well in my current configuration I have the RADIUS server certificate in
certificate_file and CA certificate in CA_file.
But with that configuration , the radius server is still sending the CA
certificate.
Having said that , your proposal was to not include the CA certificate
in the RADIUS server certificate (in certificate_file variable)
My RADIUS server certificate does not have the CA certificate included.
Even so, the RADIUS server is including the CA certificate :(...
any alternative solution?.
> because I guess in the majority of cases the RADIUS server cert is
> issued by some (commercial) server CA where as the client certs are
> mostly issued by some home grown user CA.
>
> Saying that there might be cases where the CA certificates from
> CA_file are indeed the CA chain certs of the RADIUS server
> certificate.....
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_____________________________________________________________________________
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070620/c3615e18/attachment.html>
More information about the Freeradius-Users
mailing list