On 30/04/12 13:18, jinx_20 wrote:
But I sill cannot understand why FR allowed to connect when I had removed
Sub2_CA certificate from cert store.
Just to emphasise, unless I'm mistaken it is OpenSSL that was validating
or rejecting the cert. The FreeRADIUS verify callback doesn't override
Phil, can you look at the certs I provided?
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5675205.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info
On 04/30/2012 07:29 AM, jinx_20 wrote:
Phil, can you look at the certs I provided?
They look ok to me. There's no obvious reason they shouldn't verify, and
quick tests as the CLI all passed. Are you sure these are functionally
*identical* to the real ones you're using?
I've checked over
understand why FR allowed to connect when I had removed
Sub2_CA certificate from cert store.
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5675822.html
Sent from the FreeRadius - User
==
-END CERTIFICATE-
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5669595.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe
.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5664334.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
As soon as I delete Sub2 CA (that is, the CA certificate of the certificate
authority which issued client's certificate) I am able to connect
successfully.
Does FR know this Sub2 CA? i.e: is CA certificate chain file referenced in
eap.conf?
If not, try to concatenate certificate authority
As I mentioned before CA_file in the eap.conf is set to
${cadir}/Sub2_CA_*entire_chain*.pem
Is there any difference between concatenated CA file and certificate chain?
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5664397.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See
http
correct?
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5664500.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http
On 25/04/12 10:39, jinx_20 wrote:
Is there any way to configure FreeRadius server to explicitly accept
intermediate CAs received from the client supplicant?
No, it should not be needed and should work; but there might be a logic
error in the various SSL verify options or callbacks; OpenSSL
2012/4/25 jinx_20 gabriel_skup...@o2.pl
Ok, to be sure that we understand each other...
My Sub2_CA_entire_chain.pem looks like this:
-BEGIN CERTIFICATE-
XX
-END CERTIFICATE-
-BEGIN CERTIFICATE-
Y
-END
required certificates.
Regards,
Gabriel
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5664601.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe
On 25/04/12 12:42, jinx_20 wrote:
freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on
Feb 2 2012 at 15:38:19
OpenSSL 0.9.8o 01 Jun 2010
I wouldn't like to share our private production certificates but if you
really need it to help us I will set up a mirror testing PKI
14 matches
Mail list logo
