Server Sertificate

Phil Mayers p.mayers at imperial.ac.uk
Wed Jun 1 22:14:51 CEST 2011


On 06/01/2011 09:07 PM, Lubenski, Zeev [GCS] wrote:
> Paul
>
> In the RFC 5216 I see:
> The EAP server will then respond with an EAP-Request packet with
>   AP-Type=EAP-TLS.  The data field of this packet will encapsulate one
>   or more TLS records.
> These will contain a TLS server_hello handshake
> message, possibly followed by TLS certificate
>
> This leads to believe that certificate is not mandatory ?

If you read just a few lines further on:

"""
    If the EAP server is not resuming a previously established session,
    then it MUST include a TLS server_certificate handshake message, and
    a server_hello_done handshake message MUST be the last handshake
    message encapsulated in this EAP-Request packet.
"""

That is, a certificate is only "optional" if you're resuming an earlier 
session (which must itself have contained a certificate)



More information about the Freeradius-Users mailing list