[EAP-TLS Windows 7] Problem with chain certificate on the client side

Phil Mayers p.mayers at imperial.ac.uk
Fri May 4 13:29:59 CEST 2012

On 30/04/12 13:18, jinx_20 wrote:
> But I sill cannot understand why FR allowed to connect when I had removed
> Sub2_CA certificate from cert store.

Just to emphasise, unless I'm mistaken it is OpenSSL that was validating 
or rejecting the cert. The FreeRADIUS "verify" callback doesn't override 
the OpenSSL decision except in the expected cases, such as the external 
"verify" script execution, CN comparisons or similar, and those are done 
on terminal certs only.

So, either OpenSSL was failing to validate it, or OpenSSL was passing 
bad "depth" data into FreeRADIUS' callback function. Either way, I think 
the issue here lies inside OpenSSL.

More information about the Freeradius-Users mailing list