On 04/30/2012 07:29 AM, jinx_20 wrote:
Phil, can you look at the certs I provided?
They look ok to me. There's no obvious reason they shouldn't verify, and quick tests as the CLI all passed. Are you sure these are functionally *identical* to the real ones you're using?
I've checked over the FR verify code; it is a pretty standard verify callback, and doesn't have any logic errors. It's a bit of a shame the FR verify callback doesn't explicitly log the subject/issuer/depth values for failures, and just logs the error; I wonder if that is worth fixing (and if it would tell us anything more in this case). But I'm fairly sure FR is doing nothing wrong.
Therefore, either your cert chain is mangled in some way OpenSSL doesn't like, OpenSSL is buggy or the client is buggy. Or something else weird is going on.
I don't have any suggestions I'm afraid. If you're familiar with the TLS protocol, you could use wireshark to capture and inspect an EAP-TLS conversation. The dissector will reassemble the TLS exchange, and you can check the correct certs are being sent over the wire in the correct order.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
