On 17/10/2019 15.28, [email protected] wrote:
After adding the very simple barebones ServerRADSEC clause shown below to my configuration:
It's a bit too simple: add TLS_CAFile or TLS_CAPath too. What is missing is the information about which client certificates the server side should trust.
<ServerRADSEC> Identifier UT-Backend-RADSEC Port 2083 Protocol tcp Secret SomethingVerySecret UseTLS TLS_Protocols TLSv1.1,TLSv1.2 TLS_CertificateType PEM TLS_CertificateFile %D/certs/cert.pem TLS_PrivateKeyFile %D/certs/key.pem TLS_Ciphers DEFAULT </ServerRADSEC> Radiator logs the following errors on startup:
ERR: StreamTLS could not load_verify_locations , : 4100: 1 -
The log above prints the value of TLS_CAFile, TLS_CAPath. See goodies/radsec-server.cfg for a configuration sample. The sample uses TLS_CAFile, to specificy which CA certificates server side should trust. It's ok to specify only one of the parameters, but the both can not be undefined.
For more information about the OpenSSL library call Radiator does, see SSL_CTX_load_verify_locations documentation here:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_load_verify_locations.html
error:25078067:DSO support routines:win32_load:could not load the shared library 00000000 4100: 2 - error:25070067:DSO support routines:DSO_load:could not load the shared library 00000000 4100: 3 - error:260B6084:engine routines:dynamic_load:dso not found 00000000 4100: 4 - error:2606A074:engine routines:ENGINE_by_id:no such engine
-- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory, EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc. _______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
