Hi!
As far as I can see the Server does not send the full certificates, but only
announces the certificates the server knows. I did not read the RFC yet, but
I assume that this only informs the client which certificates can be
requested to verify the server certificate chain.
Am 04.01.2012 15:09,
Daniel Finger wrote:
> We are using 802.1X EAP TTLS to Authenticate Phones in our network. It is
> working, but after seeing a tcpdump, the Radius Server is sending all known
> CA Certificates to the Client during EAP TLS Negotiation.
That's largely how EAP-TLS works.
>
Hi!
We are using 802.1X EAP TTLS to Authenticate Phones in our network. It is
working, but after seeing a tcpdump, the Radius Server is sending all known
CA Certificates to the Client during EAP TLS Negotiation.
Our Config looks like this:
private_key_file = ${certdir}/radius_server.key
On 06/21/2010 04:03 PM, Robert Franklin wrote:
When testing a new server certificate with a different chain to a new
root CA, I set up a separate eap module with different certificates.
Ah, good point and good suggestion. I had forgotten each module instance
has it's own SSL context.
--
Joh
support multiple client CA certificates?
On 21 Jun 2010, at 19:53, John Dennis wrote:
> A (FreeRADIUS) virtual server does not have a different IP address nor would
> it have different subject names nor subject alt names.
>
> I'm not getting the feeling you understand how PKI w
On 21 Jun 2010, at 19:53, John Dennis wrote:
> A (FreeRADIUS) virtual server does not have a different IP address nor would
> it have different subject names nor subject alt names.
>
> I'm not getting the feeling you understand how PKI works, it might be
> worthwhile to read up on it.
When tes
John,
Thank you very much for your advise!
Regards,
Gina Zhang
-Original Message-
From: John Dennis [mailto:jden...@redhat.com]
Sent: Monday, June 21, 2010 1:54 PM
To: Zhang, Ge (Gina)
Cc: FreeRadius users mailing list
Subject: Re: Can freeradius support multiple client CA
On 06/21/2010 02:38 PM, Zhang, Ge (Gina) wrote:
John,
Thanks a lot for your response. If I configure multiple virtual server, would
it be possible?
A (FreeRADIUS) virtual server does not have a different IP address nor
would it have different subject names nor subject alt names.
I'm not ge
Subject: Re: Can freeradius support multiple client CA certificates?
On 06/21/2010 01:01 PM, Zhang, Ge (Gina) wrote:
> John,
>
> Is it possible to support multiple sets of server certificates so that
> one group customer would use one server CA file?
This is a basic PKI question
On 06/21/2010 01:01 PM, Zhang, Ge (Gina) wrote:
John,
Is it possible to support multiple sets of server certificates so that one
group customer would use
one server CA file?
This is a basic PKI question, not really FreeRADIUS. In PKI there can
only be one certificate per server. You would ha
-users-bounces+gina.zhang=alcatel-lucent@lists.freeradius.org]
On Behalf Of Zhang, Ge (Gina)
Sent: Monday, June 21, 2010 11:52 AM
To: John Dennis; FreeRadius users mailing list
Subject: RE: Can freeradius support multiple client CA certificates?
John,
Thank you very much for the information! I
CA certificates?
On 06/21/2010 12:00 PM, Zhang, Ge (Gina) wrote:
> Hi list,
>
> Is it possible to support multiple client CA certificates?
> Suppose we want to support different customer groups. Each group has
> its own CA certificate. Can freeradius support that?
Yes, if the CA
On 06/21/2010 12:00 PM, Zhang, Ge (Gina) wrote:
Hi list,
Is it possible to support multiple client CA certificates?
Suppose we want to support different customer groups. Each group has
its own CA certificate. Can freeradius support that?
Yes, if the CA's are in a bundle set CA_fi
Hi list,
Is it possible to support multiple client CA certificates?
Suppose we want to support different customer groups. Each group has
its own CA certificate. Can freeradius support that?
Thanks a lot!
Gina Zhang
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Ah, I never considered that other people's gear (besides my own) wouldn't
support SHA1. Would you consider then the following patch to the README file
so that people can make an informed decision?
--- README.orig2009-08-09 18:31:53.0 -0500
+++ README2009-08-09 18:42:06.0 -0
Walter Goulet wrote:
> While I was building a version of FreeRADIUS 2.1.6 from source I was
> testing the certificates that are created using the certs makefile. I
> noticed that the CA certs (as well as server and client certs) use the
> default OpenSSL md5rsa signature algorithm. From the recentl
Hi,
While I was building a version of FreeRADIUS 2.1.6 from source I was testing
the certificates that are created using the certs makefile. I noticed that
the CA certs (as well as server and client certs) use the default OpenSSL
md5rsa signature algorithm. From the recently announced vulnerabilit
hello,
we are running our own PKI with a 3 level hierarchy:
it-master-class1(self-signed) -> it-ca-class2 -> it-ca-class3.
it-ca-class3 signed our radius server (radiux-pkiit-2008.pem)
In eap.conf file in the tls section I have
tls {
private_key_password = secret
private_key_file = ${certdir}/ra
Johan Nyman wrote:
> Can I extend the expire days for the CA certificate (ca.cnf) ?
Edit the "default_days" parameter. This is documented in OpenSSL.
> And if possible how long can I extend it as maximum?
See the OpenSSL documentation for it's configuration files.
Alan DeKok.
-
List info
Hello All,
Can I extend the expire days for the CA certificate (ca.cnf) ?
And if possible how long can I extend it as maximum?
Right now the ca certificate´s maximum days are 30.
Best regards,
Johan Nyman
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/l
On 6/1/06, sumi thra <[EMAIL PROTECTED]> wrote:
Any body knows how to revoke the certificates? what changes needs to be
done in the freeradius eap.conf file.
No possible changes there will help you in that purpose. Having said
that, I'd like to provide some details I found while digging around
Hey All,Any body knows how to revoke the certificates? what changes needs to be done in the freeradius
eap.conf file.Im trying to do in the way its given in the default config file:Oopenssl command to revoke the ca-certificate:
openssl ca -gencrl -keyfile ./privatekey.pem -cert cacert.pem rev
22 matches
Mail list logo