After Upgrade from freeradius 2 to 3 (Debian 8 - 9): TLS Alert write:fatal:unsupported certificate

Stefan Winter stefan.winter at
Thu Dec 21 11:08:29 CET 2017


> is there a possible way, to ignore all certificates in ttls and send an accept??

paraphrased, you ask "Is there a way to throw overboard all security,
and to make my users susceptible to MITM attacks?"

Surprisingly, the answer is "Yes, that's the default behaviour." A
non-configured supplicant will typically accept all certificates thrown
at it, at best with a UI question like "Do you think that cert is okay?"

That's a client-side problem though - FreeRADIUS always needs to *send*
a server certificate.


Stefan Winter

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Freeradius-Users mailing list