[RADIATOR] Can't get chain certificates to work

Stephen A. Felicetti stephen.felicetti at fccc.edu
Fri Nov 5 08:50:45 CDT 2010


Success!!!

David, Per your suggestion, I added: EAPTLS_CAPath %D/certificates/cert/ca
Andrew, Per your suggestion, I placed the server cert first inline in the chain cert file. So server cert first, then chain cert second.

Many thanks, Andrew and David

On Nov 4, 2010, at 5:21 PM, David Zych wrote:

On 1:59 PM, Stephen A. Felicetti wrote:
> On Nov 4, 2010, at 3:32 PM, David Zych wrote:
>>
>> I fought with this same issue and eventually discovered that the
>> Radiator documentation is misleading: including both an
>> EAPTLS_CertificateFile (for the server cert) and an
>> EAPTLS_CertificateChainFile (for the intermediate cert) does not work
>> because the underlying call to SSL_CTX_use_certificate_chain_file()
>> expects a *single* file that contains *all* of the necessary certs.
>>
>> What you want to do is put them all in one file with yours on top:
>> cat wirelesscert.pem thawte.SSL123bundle.pem >  fullchain.pem
>>
>> and specify:
>> EAPTLS_CertificateChainFile %D/certificates/cert/fullchain.pem
>>
>> (do not include an EAPTLS_CertificateFile directive)
>
> If I exclude the EAPTLS_CAFile, I get the following error:
>
> Thu Nov  4 16:06:42 2010: ERR: TLS could not load_verify_locations , :
> Thu Nov  4 16:06:42 2010: DEBUG: EAP result: 1, EAP TTLS Could not initialise context
> Thu Nov  4 16:06:42 2010: DEBUG: AuthBy FILE result: REJECT, EAP TTLS Could not initialise context
> Thu Nov  4 16:06:42 2010: INFO: Access rejected for fistrainlap8: EAP TTLS Could not initialise context

You still need to specify either a EAPTLS_CAFile or EAPTLS_CAPath (it
doesn't really mean much if you're not using client certs, but as you've
just discovered, TTLS can't initialize without the declaration).


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101105/436cc171/attachment-0001.html 


More information about the radiator mailing list