On 09/07/12 13:18, Phil Mayers wrote:
On 09/07/12 13:04, Sven Dreyer wrote:
Hi List,
at work, I have the following requirements for IP phones which should be
authenticated before joining the network:
- Root CA --> Sub CA --> Device certificates
- The phones have the Sub CA certificate locally installed as
"trustworthy" (NOT the Root CA certificate!)
- The RADIUS server must only send its server certificate (not the whole
chain)
Why?
- I only put the RADIUS server certificate to certificate_file. But as
soon as CA_path or CA_file are set, FreeRADIUS sends the whole
certficiate chain to the phone.
I'm afraid the current TLS code works that way. You would need to patch
the source if you want a different set of server CA and client CA objects.
Just to expand on this; it would be very hard, since OpenSSL is the one
adding the CA chain and doing the SSL. You would need to persuade
OpenSSL to have the CA loaded for clients, but not for server use.
I think this might even be impossible.
You could use a different CA for the server and client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
