EAP-TLS unable to get local issuer certificate

Alan DeKok aland at deployingradius.com
Thu Jun 8 06:49:17 UTC 2023 

On Jun 8, 2023, at 7:37 AM, MH <h33927318 at gmail.com> wrote:
> 
> As I wrote in my first post, "openssl verify" command outputs that client
> certificate is trusted.

   That doesn't matter.  The "openssl verify" command is looking in different directories for the CA certs.  Your posts make this clear.

  If you give the "openssl" command the same ca path / cert files that you give FreeRADIUS, then the command will return the same result as FreeRADIUS.  Because both of them use the same underlying OpenSSL APIs.

  This isn't magic.

> I think that without specifying "-CAFile" in
> "openssl verify" it looks for trusted CAs in default locations.
> So it works with or without -CAFile (i.e default OS system CA store and
> custom CA store).
> I expect FreeRadius does the same since it uses OpenSSL.

  I see... so you configured FreeRADIUS with an explicit CA path, pointers to cert files, etc. but you don't expect it to use those?  Instead, you expect it to look in other directories?

  That's a very strange expectation.

  FreeRADIUS doesn't use the OS defaults for CA paths, because doing so would be wrong.  A little bit of thinking about the subject will educate you as to why this is so.

> I did run strace on "openssl verify" and I saw very clearly what files are
> examined for trusted CAs (it extracts IssuerName from client cert, hash it
> and then search for filename with that hash in trusted CA stores).
> I tried that same approach with "strace freeradius -fxxx" + "eapol_test
> ..." and did not find any similar output (just accessing server certificate
> and key but not any other *.PEM).
> 
> Regarding the debug output: that's it.

  No, that's not it.  There's a lot more in the debug output than what you posted.

  But since you clearly know more than us, and you have no intention of following the documentation or our advice, I think you're on your own.  You clearly have the skills to fix this, and we don't.

  i.e. I've never understood the psychology of asking people for help, and then arguing with them about the answers.  It's bizarre.

  Alan DeKok.

More information about the Freeradius-Users mailing list