Reimer Karlsen-Masur, DFN-CERT wrote: > This is definitely more elegant than my suggestion but I found that many > FreeRADIUS admins get confused by the > > CA_file > CA_path > > options. They think that they need to place the CA chain from *their > FreeRADIUS servers SSL certificate* in the file/directory specified in above > options.
I've added some comments in eap.cnf && raddb/certs/README explaining more about these issues. > But by doing so they most likely implicitly trust these CAs for > client authentication via eap-tls, ie. they enabled EAP-TLS with some set of > trusted CAs that were never intended to authenticate client certs for their > organisation. That's the whole purpose of CA_file, to be honest. > Whereas the CA chain of *their FreeRADIUS servers SSL certificate* should be > appended to the server certificate file specified with the > > certificate_file > > option. That is another way of doing it. > So since specifying an empty CA_file does not work (FreeRADIUS does not > start) the only way for a really clean minimal config that is not allowing > EAP-TLS is to have an empty CA_path directory. That sounds reasonable. I've updated the code to permit CA_file to be empty, and added comments in eap.conf && raddb/certs/README about this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html