On 5/05/2017 10:58, Heikki Vatiainen wrote:
On 21.4.2017 17.11, Philip Brusten wrote:
OpenSSL added a new feature in 1.0.2 to accept a partial chain.
It can be set using this flag X509_V_FLAG_PARTIAL_CHAIN which you
could set using the Net::SSLeay::X509_STORE_set_flags
Perhaps you could make a EAPTLS-setting for this flag in Radiator?
Getting back to this, yes that's a good idea. We'll take a look at
adding it. That was my intention too, I just did not acknowledge it
until now.
Meanwhile, here's I found something that might be of interest for you
in case you are interested in tweaking certs:
https://security.stackexchange.com/questions/17391/can-an-intermediate-ca-be-trusted-like-a-self-signed-root-ca
The idea in the best answer is to modify the intermediate CA to look
like a root CA or alternatively use your own root CA to create a
modified chain.
Hmm, sounds like a dirty workaround. I think it's better to wait for the
X509_V_FLAG_PARTIAL_CHAIN flag in the RADIATOR software. Since we force
a CRL-check, certificates from other intermediate CA's won't be trusted
because of this.
We will be happy to test this for you if you have a patch.
Regards,
Philip
_______________________________________________
radiator mailing list
[email protected]
http://lists.open.com.au/mailman/listinfo/radiator
