query on files under /etc/raddb/certs
SIMON BABY
simonkbaby at gmail.com
Thu Nov 12 23:00:00 CET 2020
Hi Alan,
When I read the file README it says below content:
This directory contains scripts to create the server certificates.
To make a set of default (i.e. test) certificates, simply type:
$ ./bootstrap
The "openssl" command will be run against the sample configuration
files included here, and will make a self-signed certificate authority
(i.e. root CA), and a server certificate. This "root CA" should be
installed on any client machine needing to do EAP-TLS, PEAP, or
EAP-TTLS.
So can someone create a false certificate and key and create a session ?
If we delete all these scripts also it is not possible to create any
certificate and we get complete control of where it gets the
certificates and keys ?
Regards
Simon
On Thu, Nov 12, 2020 at 1:48 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Nov 12, 2020, at 2:44 PM, SIMON BABY <simonkbaby at gmail.com> wrote:
> >
> > Thank you for replying to me. So if, I don't need to create certs and
> keys
> > Can I delete all those files
>
> If you're not using them, yes.
>
> > (To make them more secure by not creating any
> > cert and key by someone who can hack).
>
> That doesn't make sense. If you're not using them, it doesn't matter if
> someone else reads them. They don't mean anything, and they don't contain
> any useful information.
>
> > I have some static certs and key
> > files.
>
> You can *look* at those files to see what they are. There's a Makefile
> in raddb/certs which includes targets to print out the contents of the
> files. Or, you can use OpenSSL. These files aren't specific to
> FreeRADIUS. They're created with OpenSSL. So they can be read by OpenSSL.
>
> If you look at the files, odds are that they will be for "example.com"
> or "example.org". Which are web sites *not* owned by you. So the certs
> are entirely meaningless. and leaking the contents of these files does
> nothing.
>
> I am extremely wary of security theatre. If you want to delete files
> you don't use, that's one thing. But doing so does not make your systems
> any more secure.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list