FreeRADIUS EAP-TLS Auth. Issues

Gerald Vogt echelon.ibex-0l at icloud.com
Thu Jan 25 07:28:42 UTC 2024 

On 25.01.24 00:22, Gerald Vogt wrote:
> On 24.01.24 21:56, Alan DeKok wrote:
> You made it absolutely clear by now, it verbatim statements, that you 
> don't want my contribution in any kind. Who am I to dare I might post 
> something on this list to help someone else??

So just to make this clear: you don't want my contributions.

You don't want my contributions to other users on this list, that's why 
you have banned me.

You don't want my contributions on github, which is why you have blocked 
me from forking the repository.

You have banned me from submitting a PR, which you insists I should do.

So I have learned you don't want my contributions. And you doing 
everything to prevent me from even trying to.

So here is my contribution lacking any other way to make you understand 
I would, if I could and you accepted it, based on the breadcrumbs you 
have left to fill in and guessing what I do not know. So based on many 
assumptions my suggestion is below.

I am well aware that this is most likely completely a wasted effort, but 
who knew that you would pull out the complete and global ban on me...

g

ps. don't waste any time on banning this email, too. I'll unsubscribe 
and delete this address right after this...

diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index f38ac6f691..8d26c90e5b 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -197,15 +197,14 @@ eap {
  	#  authenticate via EAP-TLS!  This is likely not what you want.
  	#
  	tls-config tls-common {
-		private_key_password = whatever
-		private_key_file = ${certdir}/server.pem
-
  		#  If Private key & Certificate are located in
  		#  the same file, then private_key_file &
  		#  certificate_file must contain the same file
  		#  name.
  		#
-		#  If ca_file (below) is not used, then the
+		private_key_password = whatever
+		private_key_file = ${certdir}/server.pem
+
  		#  certificate_file below SHOULD also include all of
  		#  the intermediate CA certificates used to sign the
  		#  server certificate, but NOT the root CA.
@@ -222,39 +221,38 @@ eap {
  		#  server.pem, followed by CA1.pem, followed by
  		#  CA2.pem.
  		#
-		#  When using "ca_file" or "ca_path", the
-		#  "certificate_file" should contain only
-		#  "server.pem".  And then you may (or may not) need
-		#  to set "auto_chain", depending on your version of
-		#  OpenSSL.
-		#
-		#  In short, SSL / TLS certificates are complex.
-		#  There are many versions of software, each of which
-		#  behave slightly differently.  It is impossible to
-		#  give advice which will work everywhere.  Instead,
-		#  we give general guidelines.
-		#
  		certificate_file = ${certdir}/server.pem

-		#  Trusted Root CA list
+		#  All of the CAs in ca_file and ca_path will be
+		#  trusted to issue client certificates for
+		#  authentication. Both ca_file and ca_path can be
+		#  used at the same time.
+		#
+		#  If your client certificates have been issued by
+		#  an intermediate CA you must list all intermediate
+		#  CA certificates as well as the root CA certificates.
+		#  You can limit the acceptable client certificates
+		#  with check_cert_issuer and check_cert_cn or
+		#  with unlang statements
  		#
-		#  This file can contain multiple CA certificates.
-		#  ALL of the CA's in this list will be trusted to
-		#  issue client certificates for authentication.
+		#  Do not point ca_file or ca_path to your OS's
+		#  system default certificate bundle or directory!
+
+		#  ca_file can contain multiple CA certificates.
  		#
  		#  In general, you should use self-signed
  		#  certificates for 802.1x (EAP) authentication.
-		#  In that case, this CA file should contain
-		#  *one* CA certificate.
+		#  In that case, ca_file should contain *one*
+		#  CA certificate and ca_path should be undefined
+		#  or pointing to an empty directory.
  		#
  		ca_file = ${cadir}/ca.pem

-		#
-		#  Directory where multiple CAs are stored.  Both
-		#  "ca_file" and "ca_path" can be used at the same time.
-		#
-		#  Each file in this directory must contain one
-		#  certificate, and ONLY one certificate.
+		#  Directory where CAs (and CRLs) are stored. Each
+		#  certificate file in this directory must contain one
+		#  certificate, and ONLY one certificate. The directory
+		#  must also contain OpenSSL's hash links, e.g. generated
+		#  with c_rehash.
  		#
  		ca_path = ${cadir}

@@ -275,9 +273,10 @@ eap {
  	 	#  signature view, but wrong from the clients view.
  		#
  		#  When setting "auto_chain = no", the server certificate
-		#  file MUST include the full certificate chain.
+		#  file MUST include the full certificate chain. To avoid
+		#  possible problems auto_chain should not be enabled.
  		#
-	#	auto_chain = yes
+		auto_chain = no

  		#  If OpenSSL supports TLS-PSK, then we can use a
  		#  fixed PSK identity and (hex) password.  These can

More information about the Freeradius-Users mailing list