[RP #2160] EAP-TLS | OCSP with Intermediate CA
Isaac Boukris
iboukris at gmail.com
Wed Jan 24 14:18:17 CET 2018
On Wed, Jan 24, 2018 at 10:20 AM, Alan DeKok <aland at deployingradius.com> wrote:
> On Jan 23, 2018, at 1:07 PM, Isaac Boukris <iboukris at gmail.com> wrote:
>> Any thoughts on this? I can collect server debug of this flow, before
>> and after the patches if it helps.
>
> I think it looks good. I'll have to go over it in detail, which is why it's taking so long.
>
> It's important for me to understand the consequences of changing core behaviour...
Thank you for the initial feedback.
On a related note, I'd like to mention that I also thought of
proposing a new directive like 'untrusted_ca_file', which we'd load
with 'SSL_CTX_add_extra_chain_cert()' and only use it to complete the
chain (if the client didn't send it), like 'openssl verify
-untrusted' option, but I can't think of a practical benefit over just
adding it to 'ca_file' as trusted.
Regards.
More information about the Freeradius-Users
mailing list