"Manual" certificate checking

Sven Dreyer sven at dreyer-net.de
Mon Jul 9 14:27:21 CEST 2012

Am 09.07.2012 14:18, schrieb Phil Mayers:
>> - The phones have the Sub CA certificate locally installed as
>> "trustworthy" (NOT the Root CA certificate!)
>> - The RADIUS server must only send its server certificate (not the whole
>> chain)
> Why?

Not my decision - our customer said something like "that's the way it 
works in our network". I suggested to send the whole chain, but their 
answer was like "no RFC forces anyone to send the whole chain, so it 
must work that way".

>> - I only put the RADIUS server certificate to certificate_file. But as
>> soon as CA_path or CA_file are set, FreeRADIUS sends the whole
>> certficiate chain to the phone.
> I'm afraid the current TLS code works that way. You would need to patch
> the source if you want a different set of server CA and client CA objects.

Thanks for that, I already suspected something like this.

Best regards, Sven

More information about the Freeradius-Users mailing list