On 21.4.2017 17.11, Philip Brusten wrote:
OpenSSL added a new feature in 1.0.2 to accept a partial chain.
It can be set using this flag X509_V_FLAG_PARTIAL_CHAIN which you could
set using the Net::SSLeay::X509_STORE_set_flags
Perhaps you could make a EAPTLS-setting for this flag in Radiator?
Getting back to this: Patches have EAPTLS_CAPartialChain for TLS based
EAP methods and TLS_CAPartialChain for Stream based modules, such as
Diameter and RadSec.
Support for X509_V_FLAG_PARTIAL_CHAIN was added some time ago and it was
just updated to include X509_V_FLAG_TRUSTED_FIRST too. The latter flag
is on by default with OpenSSL 1.1.0 and based on the information we
gathered, should be a good addition with 1.0.2 too. However, Radiator
currently sets this flag only when partial chain flag is enabled.
To test, do something like this:
Add 'EAPTLS_CAPartialChain' configuration flag parameter to Radiator's
EAP-TLS configuration. Also change CA file to something like this:
EAPTLS_CAFile certificates/intermediate-CA-I1-crt.pem
Set eapol_test, or other test client, to use
client_cert="certificates/client-I1-crt.pem"
private_key="certificates/client-key.pem"
private_key_password="whatever"
The above certificates come with patches. Radiator's test certificates
were redone to include intermediate CAs, revoked and expired
certificates and CAs and other useful features for testing. See
certificates/README-demoCA.txt and certificates/README for the details.
If you have time to test this, please let us know how it goes.
Thanks,
Heikki
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
