[Spam?] Re: FYI, I gave up on eap-tls for OS X and ios.

Alan DeKok aland at deployingradius.com
Thu Mar 30 14:33:29 CEST 2017

On Mar 29, 2017, at 7:24 PM, John Tobin <jtobin at po-box.esu.edu> wrote:.
> I have a self signed cert because [ I believe ] that is the test cert you
> get when you install radius.
> /etc/raddb/cert has a make, you run the make for test certs.

  Yes... we're well aware of that.

> I have doc that suggests os x and ios will no longer allow self signed
> certs,

  I use a self-signed CA which issues a server cert every day with OSX and iOS.  I don't know what magic doc you're reading (and you don't say what it is).

> and it was suggested that I should have a self signed cert for free
> Radiusd eap-tls.

  Who suggested it?  The test certificates (and the process used to create them) work on every OS.  That's why they exist... so people should use them.

> The os x machines have no mods for a ³homebrewed² openssl?

  I'm not sure what you mean by that.

  FreeRADIUS will work with the OpenSSL that's distributed with OSX.  It will complain about the old version, but it will work.

> I am testing against sierra and elcapitan, and I was also told

  By who?  And why do you believe some random document, or some random person instead of the experts on this list?

> I would
> have to get special versions of openssl for os x at those levels because
> of problems in opensslŠ
> You have to implement homebrew openssl installŠ..

  I would suggest using a home-brew version of OpenSSL.  It's more up to date.  But it's not *required*.

  I think I good part of the problem here is that you're reading random documentation.  I don't know where you're getting that information from, but most of it is wrong.

  FreeRADIUS works.  The scripts included with it work.  The certificates it builds work.  The documentation in FreeRADIUS is correct.

  Why would you go reading random *wrong* documentation, and ignore the *working* and *correct* documentation in front of you?

  i.e. if you're having problems with some third-party documentation, go ask *them* why their documentation doesn't work.

  Alan DeKok.

