Finally I found out. It was easy, you only have to concatenate the .pem files.
Alejandro -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nombre de Alejandro Martinez Marcos Enviado el: martes, 03 de agosto de 2004 18:54 Para: [EMAIL PROTECTED]; [EMAIL PROTECTED] Asunto: RE: freeRADIUS patch for EAP-TLS n-tier server/aaa certificate chain support Hello Mohammed, I have a similar problem, I have also a certificate chain of 3 levels. I have a CA cert and a subCA cert. I think that I have to take them and create a "certificate-chain.pem", and then placing it in the "# Trusted Root CA list" section of radiusd.conf. But I don't know how to generate the certificate-chain file. I think I have to use OpenSSL, but I don't know how to do it. Could you help me please? Thanks in advance, Alejandro -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] nombre de Mohammed Petiwala Enviado el: martes, 13 de julio de 2004 17:41 Para: [EMAIL PROTECTED]; [EMAIL PROTECTED] Asunto: freeRADIUS patch for EAP-TLS n-tier server/aaa certificate chain support Hi: Currently the freeRADIUS server (including R1.0.0 pre-3) doesn't support sending server certificate chains during the SERVER-HELLO handshake to the EAP-TLS client/supplicant. This patch allows freeRADIUS to have certificate chain of depth greater than 2 in the server/aaa certificate. This patch is built on the OpenSSL SSL_CTX_use_certificate_chain_file(ctx, conf->certificate_file) API call and if the server certificate is passed as a certificate chain in PEM format by concatinating the server certificate, server sub-CA certificate, ......, server root certificate then OpenSSL builds the certificate chain and sends the complete chain as the server certificate. For more info on how users could use freeRADIUS with n-tier server certificate chains please refer to OpenSSL documentation on SSL_CTX_use_certificate_chain_file(ctx, conf->certificate_file) command. The following enhancement only applies to PEM files that have certificate chains as part of the server certificates. For all other certificate types there will be no change, also if the AAA server certificate doesn't have n-tier certificate chain (it only uses a server root and server certificate hierarchy then they would also work just as previously. We've used and tested this patch and it works fine. If you need more details on this please contact me. Thanks. Regards, Mohammed. Mohammed H. Petiwala Senior Staff Engineer Motorola Inc. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@ --- rlm_eap_tls.c.orig 2004-06-29 13:11:15.000000000 -0500 +++ rlm_eap_tls.c 2004-06-29 13:17:09.000000000 -0500 @@ -147,15 +147,6 @@ type = SSL_FILETYPE_ASN1; } - /* Load the CAs we trust */ - if (!(SSL_CTX_load_verify_locations(ctx, conf->ca_file, conf->ca_path)) || - (!SSL_CTX_set_default_verify_paths(ctx))) { - ERR_print_errors_fp(stderr); - radlog(L_ERR, "rlm_eap_tls: Error reading Trusted root CA list"); - return NULL; - } - SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file)); - /* * Set the password to load private key */ @@ -165,10 +156,22 @@ } /* Load our keys and certificates*/ - if (!(SSL_CTX_use_certificate_file(ctx, conf->certificate_file, type))) { - ERR_print_errors_fp(stderr); - radlog(L_ERR, "rlm_eap_tls: Error reading certificate file"); - return NULL; + /* if certificates are of type PEM then we can make use of cert chain */ + /* authentication using openssl api call SSL_CTX_use_certificate_chain_file */ + /* Please see how the cert chain needs to be given in PEM from openSSL.org */ + if(type == SSL_FILETYPE_PEM) { + if (!(SSL_CTX_use_certificate_chain_file(ctx, conf->certificate_file))) { + ERR_print_errors_fp(stderr); + radlog(L_ERR, "rlm_eap_tls: Error reading certificate file"); + return NULL; + } + } + else { + if (!(SSL_CTX_use_certificate_file(ctx, conf->certificate_file, type))) { + ERR_print_errors_fp(stderr); + radlog(L_ERR, "rlm_eap_tls: Error reading certificate file"); + return NULL; + } } if (!(SSL_CTX_use_PrivateKey_file(ctx, conf->private_key_file, type))) { @@ -185,6 +188,15 @@ return NULL; } + /* Load the CAs we trust */ + if (!(SSL_CTX_load_verify_locations(ctx, conf->ca_file, conf->ca_path)) || + (!SSL_CTX_set_default_verify_paths(ctx))) { + ERR_print_errors_fp(stderr); + radlog(L_ERR, "rlm_eap_tls: Error reading Trusted root CA list"); + return NULL; + } + SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file)); + /* * Set ctx_options */ __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
