Sending CA certificate during EAP-TLS

[Reimer Karlsen-Masur, DFN-CERT]

Hi,

Rafa Marín López wrote:
> Reimer Karlsen-Masur, DFN-CERT escribió:
> 
> Hi Karlsen,
> 
> thanks for the answer, please see inline...
>> Argh, your misunderstanding is because of the inline 
>> documentation/default setup of the eap config file.
>>
>> *Trusted* CAs for client auth are stored in
>>
>> CA_file
>>
>> or
>>
>> CA_path
>>
>> So there is no conflict here with certificate_file option.
>>
>> And IMO usually CA_file and certificate_file should *not* contain the 
>> same CA certs
> Well in my current configuration I have the RADIUS server certificate in 
> certificate_file and CA certificate in CA_file.
> 
> But with that configuration , the radius server is still sending the CA 
> certificate.
> 
> Having said that , your proposal was to not include the CA certificate 
> in the RADIUS server certificate (in certificate_file variable)
> 
> My RADIUS server certificate does not have the CA certificate included. 
> Even so, the RADIUS server is including the CA certificate :(...
> 
> any alternative solution?.

No.

If the configuration is as minimal as suggested (no chain certificates in 
certificate_file) and FreeRadius is still sending the complete server CA 
chain build, this must be some FreeRadius magic....

How do you check if FreeRadius is actually sending the chain?

-- 
Beste Gruesse / Kind Regards

Reimer Karlsen-Masur

DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5853 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070629/60197b61/attachment.bin>