On Mar 17, 2005, at 6:25 PM, "Alan DeKok" wrote:
Andreas Wolf <[EMAIL PROTECTED]> wrote:In older versions of freeRadius (before 1.0.0) when using TLS, TTLS or
PEAP the supplicant used to receive the entire certificate chain. In my
simple setup that was the server cert and the root cert.
Now, I am running 1.0.2 and the server only ever sends the server cert,
never the root cert anymore.
Hmm...
Was this a conscious decision? What was the rationale for that? Can it be configured to do either?
I don't see any differences in the code in the EAP-TLS module, between 1.0.1 and 1.0.2. I don't know how to explain the difference in behavior.
There is a minor difference between 1.0.0 and 1.0.1, but it shouldn't affect that.
Yeah, I didn't think it changed since 1.0.0 but more likely sometime between 0.9.x and 1.0.0.
Unless it is something in the configuration or certificates itself (?)
To be clear the OpenSSL stuff works, the server just doesn't seem to send the entire certificate chain anymore, only the last certificate i the chain, ie. the server cert.
Does anybody know why that could've changed. The only reason I can imagine is that it's for
performance reasons. Not having to send the root cert saves some cycles and some bandwidth, I suppose.
Anything else? Or is it a bug?
It would be great if it could be configurable, e.g. in the TLS section of eap.conf...
Thanks, -Andreas
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
