François! Good to hear from you ;) Was almost sure you'll be the one answering this mail! On another note, we try to avoid having to configure stuff on the client computer. Since we're using a "valid SSL cert" we don't want end-user to accept, check, add certs on their side.
On 2013-02-06 10:13 AM, Francois Gaudreault wrote: > Ahhh! I remember those issues :P > > Did you try (on windows) to add the chain into the system/computer > keystore, not only the user keystore? > > Browsers are able, using OCSP, to follow the chain, and grab the certs > on the Internet if needed. That's why the OCSP proxy config has been > added to the httpd config in PF 3.5ish. > > Francois > > On 2013-02-05 10:14 AM, Derek Wuelfrath wrote: >> EHLO list! >> >> Currently running into an "issue" and want to gather some insight to >> understand if it is actually a real "issue" or the normal workflow. >> Here's the situation: >> >> By running PacketFence/FreeRADIUS on a secure SSID using PEAP with valid >> SSL certificate signed by RapidSSL, we encounter the strange behavior >> that each client (Microsoft Windows, Apple OSX, Apple IOS) actually >> prompt the end user to accept/validate the certificate stating that this >> certificate is signed by a known authority but actually can't be >> "verified". We tried to send the whole chain right into the certificate, >> send the chain with the CA_file FreeRADIUS parameter, nothings actually >> "solve the issue". >> >> On another hand, when reaching the captive-portal (which is using the >> exact same certificate with chain file), the browsers are not >> complaining and seems like a valid SSL certificate. >> >> I'm wondering if it is now a "normal workflow" when connecting to a PEAP >> secured SSID to ask the end user to accept/validate the chained certificate? >> >> Any insight, tricks, ideas are more than welcome. >> >> Thanks! >> >> Derek >> > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- [email protected] :: +1.514.447.4918 (x110) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
