eap ttls certificate config

jehan procaccia jehan.procaccia at it-sudparis.eu
Thu Oct 2 12:21:42 CEST 2008 

OK, I found why it cored-dump.
I though that CA_file and CA_path needed to be set seperatly.
so when setting CA_path I was commenting CA_file .
Now that both CA_file and CA_path directives are present in eap.conf, it 
doesn't core-dump anymore.

Anyway, I found my real problem. It's from securew2 windows EAP-TTLs client
it doesn't support certificate above 2048 bits, and our 3 level CA chain 
is composed of 3x4096bits CA certificate.
So securew2 was complaining about a wrong  certificate from freeradius, 
beacause it could'nt read such a "large" bundle.

dixit securew2 mailing-list :
Tom Rixom wrote:
> At the moment sw2 supports certificate file sizes up to 2048.
> This will be upped in the next release candidate.
> As soon as we have a release candidate (hopefully end of this month) 
> you can test it. 
we are waiting for a securew2 new release to validate that .

Alan DeKok wrote:
> Jehan PROCACCIA wrote:
>   
>> Actually I wasn't suggesting that it is a bug, 
>>     
>
>   A core dump is a bug.  The files I suggested you read contain
> instructions that help us fix the bug.
>
>   
>> my inital question is how
>> one can use that CA_path directive
>> and what the CA_path should contain .
>> If it's a bug, then I should rather update my freeradius-2.0.3-3.el5 to
>> 2.1.1 or so ?
>>     
>
>   I would suggest trying that.
>
>   
>> but I'am surprise to be the only one having that problem .
>> indeed I do have a /usr/share/doc/freeradius-2.0.3 directory containing
>> docs
>> but nothing on the CA_path directive, neither in bugs,ChangeLog,rlm_eap
>> or any other file.
>>     
>
>   How about eap.conf?  The CA path is a path to a directory containing
> certs and CRL's.  This is *documented* in eap.conf.
>
>   
>> My initial question is: "how to configure eap.conf tls section to load a
>> multi-level certificate hierarchy (CA bundle)"  ?
>>     
>
>   Include the certificates in the CA_path directory.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list