virtual server configuration
usawebbox at fastmail.fm
usawebbox at fastmail.fm
Sat Mar 22 01:51:53 CET 2008
On Wed, 19 Mar 2008 07:30:53 +0100, "Alan DeKok"
<aland at deployingradius.com> said:
> usawebbox at fastmail.fm wrote:
>
> > All you need is a server cert and private
> > key. In PEAP, the client is the one who needs the CA cert, if he wants
> > to verify the server cert, but even that is optional.
>
> The CA cert is needed by OpenSSL to validate the server cert.
>
I did not know this. I've always provided it, but I didn't know it was
required.
> > Anyway, can we say now that not providing a CA_file doesn't work?
>
> Provide a CA cert as instructed, either in CA_file or in
> certificate_file.
>
I wasn't clear enough this time, but I have tried to include it in
certificate_file, first with my original certs, then with certs issued
from my local CA, then with the example certs created by make ca server.
My eap.conf TLS section is:
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server-ca.crt
#CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
}
server-ca.crt is created thus:
cat ca.pem server.crt > server-ca.crt
In all cases the server does not initialize, with the error:
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
rlm_eap_tls: Error reading Trusted root CA list (null)
rlm_eap: Failed to initialize type tls
If I uncomment the CA_file line, then peap works normally, and the
server cert is validated with ca.pem on the client side.
Either I am not making the combined ca/server cert correctly, or this is
not working (v2.0.2)
--
usawebbox at fastmail.fm
--
http://www.fastmail.fm - Send your email first class
More information about the Freeradius-Users
mailing list