On 21.4.2017 17.11, Philip Brusten wrote:
OpenSSL added a new feature in 1.0.2 to accept a partial chain.
It can be set using this flag X509_V_FLAG_PARTIAL_CHAIN which you could
set using the Net::SSLeay::X509_STORE_set_flags
Perhaps you could make a EAPTLS-setting for this flag in Radiator?
Getting back to this, yes that's a good idea. We'll take a look at
adding it. That was my intention too, I just did not acknowledge it
until now.
Meanwhile, here's I found something that might be of interest for you in
case you are interested in tweaking certs:
https://security.stackexchange.com/questions/17391/can-an-intermediate-ca-be-trusted-like-a-self-signed-root-ca
The idea in the best answer is to modify the intermediate CA to look
like a root CA or alternatively use your own root CA to create a
modified chain.
Thanks for your suggestions and comments!
Heikki
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator