[EAP-TLS Windows 7] Problem with chain certificate on the client side
Phil Mayers
p.mayers at imperial.ac.uk
Fri May 4 13:29:59 CEST 2012
On 30/04/12 13:18, jinx_20 wrote:
>
> But I sill cannot understand why FR allowed to connect when I had removed
> Sub2_CA certificate from cert store.
Just to emphasise, unless I'm mistaken it is OpenSSL that was validating
or rejecting the cert. The FreeRADIUS "verify" callback doesn't override
the OpenSSL decision except in the expected cases, such as the external
"verify" script execution, CN comparisons or similar, and those are done
on terminal certs only.
So, either OpenSSL was failing to validate it, or OpenSSL was passing
bad "depth" data into FreeRADIUS' callback function. Either way, I think
the issue here lies inside OpenSSL.
More information about the Freeradius-Users
mailing list