signed server certs (was: Freeradius2 and OSX clients no TLS)

2011-03-07 Thread John Dennis
I changed default_eap_type=md5 to default_eap_type=ttls and now the Macs are able to authenticate without Certs or any configuration on their side!! ...remember though that working != secure [necessarily]. Clients defaulting to accept any radius server cert, or those that default to prompt the

Re: signed server certs (was: Freeradius2 and OSX clients no TLS)

2011-03-07 Thread Alan Buxey
Hi, 1) It validates the server cert to assure it's signed by a CA it trusts (possibly via a cert chain). 2) It then validates the certificate subject to make sure the server it thought it was connecting to appears in the certificate (either as the certificate subject or one of the

Re: signed server certs (was: Freeradius2 and OSX clients no TLS)

2011-03-07 Thread Arran Cudbard-Bell
On Mar 7, 2011, at 3:57 PM, Alan Buxey wrote: Hi, 1) It validates the server cert to assure it's signed by a CA it trusts (possibly via a cert chain). 2) It then validates the certificate subject to make sure the server it thought it was connecting to appears in the certificate

Re: signed server certs

2011-03-07 Thread James J J Hooper
On 07/03/2011 21:42, John Dennis wrote: I changed default_eap_type=md5 to default_eap_type=ttls and now the Macs are able to authenticate without Certs or any configuration on their side!! ...remember though that working != secure [necessarily]. Clients defaulting to accept any radius server

Re: signed server certs (was: Freeradius2 and OSX clients no TLS)

2011-03-07 Thread Arran Cudbard-Bell
On Mar 7, 2011, at 4:03 PM, Arran Cudbard-Bell wrote: On Mar 7, 2011, at 3:57 PM, Alan Buxey wrote: Hi, 1) It validates the server cert to assure it's signed by a CA it trusts (possibly via a cert chain). 2) It then validates the certificate subject to make sure the server it

Re: signed server certs

2011-03-07 Thread Arran Cudbard-Bell
On Mar 7, 2011, at 4:05 PM, James J J Hooper wrote: On 07/03/2011 21:42, John Dennis wrote: I changed default_eap_type=md5 to default_eap_type=ttls and now the Macs are able to authenticate without Certs or any configuration on their side!! ...remember though that working != secure

Re: signed server certs

2011-03-07 Thread James J J Hooper
On 07/03/2011 22:18, Arran Cudbard-Bell wrote: On Mar 7, 2011, at 4:05 PM, James J J Hooper wrote: On 07/03/2011 21:42, John Dennis wrote: I changed default_eap_type=md5 to default_eap_type=ttls and now the Macs are able to authenticate without Certs or any configuration on their side!!

Re: signed server certs

2011-03-07 Thread Bjørn Mork
John Dennis jden...@redhat.com writes: So why does this group think PKI doesn't work? PKI works. gnupg is an example of that. SSL doesn't work. Faulty design: Single trust anchor, black or white trust only, and large commercial interests are all reasons for that. Bjørn - List