rlm_rest / SSL one way and server certificate check

Chaigneau, Nicolas nicolas.chaigneau at capgemini.com
Mon Oct 24 15:53:07 CEST 2016


Hello,


I'm using rlm_rest module.
I'm trying to have the client check the server certificate (SSL one way), using the following options:

rest {
    tls {
        ca_file = <where I've put my CA file>
        check_cert = "yes"
    }
}



However I can't get this to work.
Apparently the option set by FreeRADIUS (CURLOPT_ISSUERCERT) is ignored by Curl, which instead uses a "bundle of certificates" located in: /etc/pki/tls/certs/ca-bundle.crt

I've put libcurl in verbose mode, which outputs the following:

* Connected to 10.67.141.75 (10.67.141.75) port 8443 (#1)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL certificate problem: unable to get local issuer certificate
* Curl_http_done: called premature == 1
* Closing connection 1


This works if I change rlm_rest code, so that option CURLOPT_CAINFO is set instead of CURLOPT_ISSUERCERT.

So... is it supposed to work with CURLOPT_ISSUERCERT ?
if so what am I doing wrong ?



Regards,
Nicolas.

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.


More information about the Freeradius-Users mailing list