On 1:59 PM, Stephen A. Felicetti wrote: > On Nov 4, 2010, at 3:32 PM, David Zych wrote: >> >> I fought with this same issue and eventually discovered that the >> Radiator documentation is misleading: including both an >> EAPTLS_CertificateFile (for the server cert) and an >> EAPTLS_CertificateChainFile (for the intermediate cert) does not work >> because the underlying call to SSL_CTX_use_certificate_chain_file() >> expects a *single* file that contains *all* of the necessary certs. >> >> What you want to do is put them all in one file with yours on top: >> cat wirelesscert.pem thawte.SSL123bundle.pem > fullchain.pem >> >> and specify: >> EAPTLS_CertificateChainFile %D/certificates/cert/fullchain.pem >> >> (do not include an EAPTLS_CertificateFile directive) > > If I exclude the EAPTLS_CAFile, I get the following error: > > Thu Nov 4 16:06:42 2010: ERR: TLS could not load_verify_locations , : > Thu Nov 4 16:06:42 2010: DEBUG: EAP result: 1, EAP TTLS Could not initialise > context > Thu Nov 4 16:06:42 2010: DEBUG: AuthBy FILE result: REJECT, EAP TTLS Could > not initialise context > Thu Nov 4 16:06:42 2010: INFO: Access rejected for fistrainlap8: EAP TTLS > Could not initialise context
You still need to specify either a EAPTLS_CAFile or EAPTLS_CAPath (it doesn't really mean much if you're not using client certs, but as you've just discovered, TTLS can't initialize without the declaration). _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
