Hi:
Currently the freeRADIUS server (including R1.0.0
pre-3) doesn't support sending server certificate
chains during the SERVER-HELLO handshake to the
EAP-TLS client/supplicant.
This patch allows freeRADIUS to have certificate chain
of depth greater than 2 in the server/aaa certificate.
This patch is built on the OpenSSL
SSL_CTX_use_certificate_chain_file(ctx,
conf->certificate_file)
API call and if the server certificate is passed as a
certificate chain in PEM format by concatinating the
server certificate, server sub-CA certificate, ......,
server root certificate then OpenSSL builds the
certificate chain and sends the complete chain
as the server certificate.
For more info on how users could use freeRADIUS with
n-tier server certificate chains please refer to
OpenSSL documentation on
SSL_CTX_use_certificate_chain_file(ctx,
conf->certificate_file)
command. The following enhancement only applies to PEM
files that have certificate chains as part of the
server certificates. For all other certificate types
there will be no change, also if the
AAA server certificate doesn't have n-tier certificate
chain (it only uses a server root and server
certificate hierarchy then they would also work just
as previously.
We've used and tested this patch and it works fine. If
you need more details on this please contact me.
Thanks.
Regards,
Mohammed.
Mohammed H. Petiwala
Senior Staff Engineer
Motorola Inc.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
--- rlm_eap_tls.c.orig 2004-06-29 13:11:15.000000000
-0500
+++ rlm_eap_tls.c 2004-06-29 13:17:09.000000000 -0500
@@ -147,15 +147,6 @@
type = SSL_FILETYPE_ASN1;
}
- /* Load the CAs we trust */
- if (!(SSL_CTX_load_verify_locations(ctx,
conf->ca_file, conf->ca_path)) ||
- (!SSL_CTX_set_default_verify_paths(ctx))) {
- ERR_print_errors_fp(stderr);
- radlog(L_ERR, "rlm_eap_tls: Error reading Trusted
root CA list");
- return NULL;
- }
- SSL_CTX_set_client_CA_list(ctx,
SSL_load_client_CA_file(conf->ca_file));
-
/*
* Set the password to load private key
*/
@@ -165,10 +156,22 @@
}
/* Load our keys and certificates*/
- if (!(SSL_CTX_use_certificate_file(ctx,
conf->certificate_file, type))) {
- ERR_print_errors_fp(stderr);
- radlog(L_ERR, "rlm_eap_tls: Error reading
certificate file");
- return NULL;
+ /* if certificates are of type PEM then we can make
use of cert chain */
+ /* authentication using openssl api call
SSL_CTX_use_certificate_chain_file */
+ /* Please see how the cert chain needs to be given
in PEM from openSSL.org */
+ if(type == SSL_FILETYPE_PEM) {
+ if (!(SSL_CTX_use_certificate_chain_file(ctx,
conf->certificate_file))) {
+ ERR_print_errors_fp(stderr);
+ radlog(L_ERR, "rlm_eap_tls: Error reading
certificate file");
+ return NULL;
+ }
+ }
+ else {
+ if (!(SSL_CTX_use_certificate_file(ctx,
conf->certificate_file, type))) {
+ ERR_print_errors_fp(stderr);
+ radlog(L_ERR, "rlm_eap_tls: Error reading
certificate file");
+ return NULL;
+ }
}
if (!(SSL_CTX_use_PrivateKey_file(ctx,
conf->private_key_file, type))) {
@@ -185,6 +188,15 @@
return NULL;
}
+ /* Load the CAs we trust */
+ if (!(SSL_CTX_load_verify_locations(ctx,
conf->ca_file, conf->ca_path)) ||
+ (!SSL_CTX_set_default_verify_paths(ctx))) {
+ ERR_print_errors_fp(stderr);
+ radlog(L_ERR, "rlm_eap_tls: Error reading Trusted
root CA list");
+ return NULL;
+ }
+ SSL_CTX_set_client_CA_list(ctx,
SSL_load_client_CA_file(conf->ca_file));
+
/*
* Set ctx_options
*/
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
