"Manual" certificate checking

[Sven Dreyer]

Hi List,

at work, I have the following requirements for IP phones which should be 
authenticated before joining the network:

- Root CA --> Sub CA --> Device certificates
- The phones have the Sub CA certificate locally installed as 
"trustworthy" (NOT the Root CA certificate!)
- The RADIUS server must only send its server certificate (not the whole 
chain)
- The phones only send their device certificate to the RADIUS server

I tried to build this scenario with FreeRADIUS (2.1.10, on Debian), but 
got stuck at the following points:

- I only put the RADIUS server certificate to certificate_file. But as 
soon as CA_path or CA_file are set, FreeRADIUS sends the whole 
certficiate chain to the phone.
- As soon as I unset CA_path and CA_file, FreeRADIUS sends only the 
content of certificate_file to the phone, which is what I want. Of 
course, phone certificate checking then doesn't work anymore.
- So I thought that I implement phone certificate checking using the 
"verify" block. But this only seems to work "on top" of the built-in 
certificate checking.

Does anybody have a hint?

Thanks,
Sven