[Spam?] Re: FYI, I gave up on eap-tls for OS X and ios.

Matthew Newton mcn4 at leicester.ac.uk
Thu Mar 30 11:49:08 CEST 2017


On Wed, Mar 29, 2017 at 11:24:37PM +0000, John Tobin wrote:
> I have a self signed cert because [ I believe ] that is the test cert you
> get when you install radius.
> /etc/raddb/cert has a make, you run the make for test certs.

You get a self-signed root CA (ca.pem), a server cert signed by
that CA (server.pem) and a client cert signed by the CA
(client.pem).

So the server should have the CA cert and the server cert
configured, and the client should have the CA cert installed and
the client cert for auth.

You don't use the self-signed CA cert as the server cert. This is
basic CA stuff.

> The os x machines have no mods for a ³homebrewed² openssl?
> I am testing against sierra and elcapitan, and I was also told I would
> have to get special versions of openssl for os x at those levels because
> of problems in opensslŠ
> You have to implement homebrew openssl installŠ..

No idea, I'm not a Mac person. Homebrewed sounds like beer.

The only issues I'm aware of with openssl and macs would be to
disable tls1.2 as I think has already been mentioned, but I think
Apple disabled that anyway for the time being because it broke too
much stuff.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list