Am 09.07.2012 14:18, schrieb Phil Mayers:
- The phones have the Sub CA certificate locally installed as
"trustworthy" (NOT the Root CA certificate!)
- The RADIUS server must only send its server certificate (not the whole
chain)
Why?
Not my decision - our customer said something like "that's the way it
works in our network". I suggested to send the whole chain, but their
answer was like "no RFC forces anyone to send the whole chain, so it
must work that way".
- I only put the RADIUS server certificate to certificate_file. But as
soon as CA_path or CA_file are set, FreeRADIUS sends the whole
certficiate chain to the phone.
I'm afraid the current TLS code works that way. You would need to patch
the source if you want a different set of server CA and client CA objects.
Thanks for that, I already suspected something like this.
Best regards, Sven
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
