cert bootstrap bug? (was Re: definitely, I have a problem with eap-tls)
Andrew Hood
freeradius at andyhood.net
Thu Aug 21 16:00:50 CEST 2008
Alan DeKok wrote:
> William Hegardt wrote:
>
>>EAP-TLS authentication fails with the "fatal unknown ca" message.
>
>
> The server cert may need to be marked with "CA:true"
>
>
>>If I hack the Makefile like Sergio mentioned last month to sign the
>>client certificate with
>>the CA key, then authentication succeeds.
>
>
> That can work, too.
>
>
>>I'd really like to understand what's wrong. Could wpa_supplicant be
>>somehow incompatible with
>>the bootstrap certificate chain?
>
>
> It's OpenSSL on both ends. wpa_supplicant && FreeRADIUS are just
> wrappers to get the SSL data back and forth.
Pardon me if I've missed something, but as far as I can tell the server
cert isn't authorised to sign client certs, so I can't see how it could
work. The CA can sign client certs.
--
REALITY.SYS not found: Universe halted.
More information about the Freeradius-Users
mailing list