David Mitchell wrote: > Alan DeKok wrote: >> David Mitchell wrote: >>> I now have 2.1.10 compiled and running. It seems to work fine. I did >>> have to make one change to my configuration. I had been using CA_path to >>> refer to the certificates which can authenticate clients for EAP-TLS >>> authentication in 2.1.8. In 2.1.10, that doesn't seem to work. If I >>> specify a single file via CA_file that works fine. I can manage either >>> way I think since the file referenced in CA_file can contain multiple >>> certificates. I did verify that I had run 'c_rehash' in my CA_path >>> directory. I'm not sure why CA_path doesn't work since the OpenSSL docs >>> indicate that they are largely interchangable. Is it an intentional >>> change? >> Nope. It's not an intentional change. I don't know why it would be >> different. > > I did change OpenSSL versions as well so I can't say for sure that it > has anything to do with FreeRadius. I'll try and poke around some and > see if I can figure out what's going on. Thanks for confirming it wasn't > meant to change.
I've done some recompiling and I believe that the new behavior is due to the new version of OpenSSL. If I compile FreeRadius using the default Debian OpenSSL (0.9.8g) I can use CA_path as expected. Compiling FreeRadius and specifying the locally installed OpenSSL 1.0.0a results in CA_path not working. In both cases I was compiling FR 2.1.9. I have not dug into the OpenSSL code. I've looked in there before and it scares me ;-) -David > > -David > >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > -- ----------------------------------------------------------------- | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html