Jorgen Rosink wrote:
On 2/13/06, Norbert Wegener <[EMAIL PROTECTED]> wrote:
Alan DeKok wrote:
1.0.x doesn't support certificate chains. 1.1.0 does.
hm:
Script started on Mon Feb 13 19:34:45 2006
lnxad:/etc # radiusd -v
radiusd: FreeRADIUS Version 1.1.0, for host , built on Feb 13 2006 at 19:31:10
Did have the same issue like you last week, Alan pointed me to the
required extensions needed in the certificates to use with FreeRadius.
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ xpserver_ext ]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
In my case these extensions where missing in the certificate I got,
did you check yours ?
Thanks, but this seems not to be the problem. Those exensions exist in
the certificate.
At least I am able to see them, when importing the certificate into windows:
Serverauthentication(1.3.6.1.5.5.7.3.1)
Clientauthentication(1.3.6.1.5.5.7.3.2)
Ip-security-IKE,intermediate(1.3.6.1.5.5.8.2.2)
and the same certificate with openssl shows me:
...
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.7:
0,[EMAIL PROTECTED]
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication, 1.3.6.1.5.5.8.2.2
1.3.6.1.4.1.311.21.10:
That should be sufficient, correct?
So maybe there is another reason for that problem?
Norbert Wegener
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
