[RP #2160] EAP-TLS | OCSP with Intermediate CA

Isaac Boukris iboukris at gmail.com
Wed Jan 24 14:18:17 CET 2018

On Wed, Jan 24, 2018 at 10:20 AM, Alan DeKok <aland at deployingradius.com> wrote:
> On Jan 23, 2018, at 1:07 PM, Isaac Boukris <iboukris at gmail.com> wrote:
>> Any thoughts on this? I can collect server debug of this flow, before
>> and after the patches if it helps.
>   I think it looks good.  I'll have to go over it in detail, which is why it's taking so long.
>   It's important for me to understand the consequences of changing core behaviour...

Thank you for the initial feedback.

On a related note, I'd like to mention that I also thought of
proposing a new directive like 'untrusted_ca_file', which we'd load
with 'SSL_CTX_add_extra_chain_cert()' and only use it to complete the
chain (if the client didn't send it),  like 'openssl verify
-untrusted' option, but I can't think of a practical benefit over just
adding it to 'ca_file' as trusted.


More information about the Freeradius-Users mailing list