OK, I found why it cored-dump.
I though that CA_file and CA_path needed to be set seperatly.
so when setting CA_path I was commenting CA_file .
Now that both CA_file and CA_path directives are present in eap.conf, it
doesn't core-dump anymore.
Anyway, I found my real problem. It's from securew2 windows EAP-TTLs client
it doesn't support certificate above 2048 bits, and our 3 level CA chain
is composed of 3x4096bits CA certificate.
So securew2 was complaining about a wrong certificate from freeradius,
beacause it could'nt read such a "large" bundle.
dixit securew2 mailing-list :
Tom Rixom wrote:
At the moment sw2 supports certificate file sizes up to 2048.
This will be upped in the next release candidate.
As soon as we have a release candidate (hopefully end of this month)
you can test it.
we are waiting for a securew2 new release to validate that .
Alan DeKok wrote:
Jehan PROCACCIA wrote:
Actually I wasn't suggesting that it is a bug,
A core dump is a bug. The files I suggested you read contain
instructions that help us fix the bug.
my inital question is how
one can use that CA_path directive
and what the CA_path should contain .
If it's a bug, then I should rather update my freeradius-2.0.3-3.el5 to
2.1.1 or so ?
I would suggest trying that.
but I'am surprise to be the only one having that problem .
indeed I do have a /usr/share/doc/freeradius-2.0.3 directory containing
docs
but nothing on the CA_path directive, neither in bugs,ChangeLog,rlm_eap
or any other file.
How about eap.conf? The CA path is a path to a directory containing
certs and CRL's. This is *documented* in eap.conf.
My initial question is: "how to configure eap.conf tls section to load a
multi-level certificate hierarchy (CA bundle)" ?
Include the certificates in the CA_path directory.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
