On 12/14/2011 05:21 PM, Röver, Christian wrote: > The posted logfile is the full trace 4 logging and the config I posted > before is he complete config (I only cut the descriptions and the lines that > were commented out).
Ok. > The certificates are all valid and have been verified by the toplevel-ca. > Maybe it is useful to know, that we have our own CA. > Our CA is the lowest in a row of three CA's. The CA-files are all stored in > the CAPath-folder together with our own CA's chain file. You could try TLS_CAFile instead of TLS_CAPath. Please see below for more. > The error message tells about problems with the verification of a > certificate. Is there any need to use the CA-files directly instead of the > CAPath? If you use CAPath, the certificate files are accessed by CA subject name hash. In most cases this means there's a symbolic link like this: lrwxrwxrwx 1 root root 20 2011-10-13 16:42 ddc328ff.0 -> Thawte_Server_CA.pem See this for how to use command c_rehash to create the links: http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html Instead of using TLS_CAPath you can put all CA certifcates in one file and point TLS_CAFile to that file. That might be easier to maintain the symbolic links for all required certificates. > Another question is: we use eaptls for the communication with our ldap > server (this works!), but we have to use TLS for radsec with the toplevel > server. Might there be a problem? Sorry, I did not quite understand this. You can use SSL or TLS for LDAP connections from Radiator without worries with RadSec. I also just noticed you use AuthBy RADIUS too. Are you proxying PEAP and TTLS inner authentication via RADIUS? Thanks! -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
