"Manual" certificate checking

Phil Mayers p.mayers at imperial.ac.uk
Mon Jul 9 14:18:32 CEST 2012


On 09/07/12 13:04, Sven Dreyer wrote:
> Hi List,
>
> at work, I have the following requirements for IP phones which should be
> authenticated before joining the network:
>
> - Root CA --> Sub CA --> Device certificates
> - The phones have the Sub CA certificate locally installed as
> "trustworthy" (NOT the Root CA certificate!)
> - The RADIUS server must only send its server certificate (not the whole
> chain)

Why?

> - I only put the RADIUS server certificate to certificate_file. But as
> soon as CA_path or CA_file are set, FreeRADIUS sends the whole
> certficiate chain to the phone.

I'm afraid the current TLS code works that way. You would need to patch 
the source if you want a different set of server CA and client CA objects.


More information about the Freeradius-Users mailing list