"Manual" certificate checking

Phil Mayers p.mayers at imperial.ac.uk
Mon Jul 9 14:24:18 CEST 2012

On 09/07/12 13:18, Phil Mayers wrote:
> On 09/07/12 13:04, Sven Dreyer wrote:
>> Hi List,
>> at work, I have the following requirements for IP phones which should be
>> authenticated before joining the network:
>> - Root CA --> Sub CA --> Device certificates
>> - The phones have the Sub CA certificate locally installed as
>> "trustworthy" (NOT the Root CA certificate!)
>> - The RADIUS server must only send its server certificate (not the whole
>> chain)
> Why?
>> - I only put the RADIUS server certificate to certificate_file. But as
>> soon as CA_path or CA_file are set, FreeRADIUS sends the whole
>> certficiate chain to the phone.
> I'm afraid the current TLS code works that way. You would need to patch
> the source if you want a different set of server CA and client CA objects.

Just to expand on this; it would be very hard, since OpenSSL is the one 
adding the CA chain and doing the SSL. You would need to persuade 
OpenSSL to have the CA loaded for clients, but not for server use.

I think this might even be impossible.

You could use a different CA for the server and client.

More information about the Freeradius-Users mailing list