Hi: Currently the freeRADIUS server (including R1.0.0 pre-3) doesn't support sending server certificate chains during the SERVER-HELLO handshake to the EAP-TLS client/supplicant. This patch allows freeRADIUS to have certificate chain of depth greater than 2 in the server/aaa certificate. This patch is built on the OpenSSL SSL_CTX_use_certificate_chain_file(ctx, conf->certificate_file) API call and if the server certificate is passed as a certificate chain in PEM format by concatinating the server certificate, server sub-CA certificate, ......, server root certificate then OpenSSL builds the certificate chain and sends the complete chain as the server certificate. For more info on how users could use freeRADIUS with n-tier server certificate chains please refer to OpenSSL documentation on SSL_CTX_use_certificate_chain_file(ctx, conf->certificate_file) command. The following enhancement only applies to PEM files that have certificate chains as part of the server certificates. For all other certificate types there will be no change, also if the AAA server certificate doesn't have n-tier certificate chain (it only uses a server root and server certificate hierarchy then they would also work just as previously. We've used and tested this patch and it works fine. If you need more details on this please contact me. Thanks.
Regards, Mohammed. Mohammed H. Petiwala Senior Staff Engineer Motorola Inc. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ --- rlm_eap_tls.c.orig 2004-06-29 13:11:15.000000000 -0500 +++ rlm_eap_tls.c 2004-06-29 13:17:09.000000000 -0500 @@ -147,15 +147,6 @@ type = SSL_FILETYPE_ASN1; } - /* Load the CAs we trust */ - if (!(SSL_CTX_load_verify_locations(ctx, conf->ca_file, conf->ca_path)) || - (!SSL_CTX_set_default_verify_paths(ctx))) { - ERR_print_errors_fp(stderr); - radlog(L_ERR, "rlm_eap_tls: Error reading Trusted root CA list"); - return NULL; - } - SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file)); - /* * Set the password to load private key */ @@ -165,10 +156,22 @@ } /* Load our keys and certificates*/ - if (!(SSL_CTX_use_certificate_file(ctx, conf->certificate_file, type))) { - ERR_print_errors_fp(stderr); - radlog(L_ERR, "rlm_eap_tls: Error reading certificate file"); - return NULL; + /* if certificates are of type PEM then we can make use of cert chain */ + /* authentication using openssl api call SSL_CTX_use_certificate_chain_file */ + /* Please see how the cert chain needs to be given in PEM from openSSL.org */ + if(type == SSL_FILETYPE_PEM) { + if (!(SSL_CTX_use_certificate_chain_file(ctx, conf->certificate_file))) { + ERR_print_errors_fp(stderr); + radlog(L_ERR, "rlm_eap_tls: Error reading certificate file"); + return NULL; + } + } + else { + if (!(SSL_CTX_use_certificate_file(ctx, conf->certificate_file, type))) { + ERR_print_errors_fp(stderr); + radlog(L_ERR, "rlm_eap_tls: Error reading certificate file"); + return NULL; + } } if (!(SSL_CTX_use_PrivateKey_file(ctx, conf->private_key_file, type))) { @@ -185,6 +188,15 @@ return NULL; } + /* Load the CAs we trust */ + if (!(SSL_CTX_load_verify_locations(ctx, conf->ca_file, conf->ca_path)) || + (!SSL_CTX_set_default_verify_paths(ctx))) { + ERR_print_errors_fp(stderr); + radlog(L_ERR, "rlm_eap_tls: Error reading Trusted root CA list"); + return NULL; + } + SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file)); + /* * Set ctx_options */ __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html