[RADIATOR] Can't get chain certificates to work

Heikki Vatiainen hvn at open.com.au
Tue Jan 11 09:10:05 CST 2011 

On 01/11/2011 01:58 PM, Rianto Wahyudi wrote:

Hello,

> I did not choose or select any trusted root certification authorities / anchor as I originally tought that windows is smart enough to do it automatically. 

It probably could choose it automatically, but I think it will not for
security reasons. In other words, this should be considered a feature.

It it automatically accepts a certificate that has a known root CA and
valid CA certificate chain, this leaves the client vulnerable to
attackers with a valid certificate from any valid root CA.

For example many eduroam sites advice the users to choose these from
Windows PEAP settings:
- Validate server certificate
- Connect to these servers (eduroam.latrobe.edu.au in your case)
- Choose the correct CA cert from the list of "Trusted Root Certificate
Authorities"
- Check "Do not prompt user to authorize new servers ..."

When these are set, the client will only build TLS tunnel to your server.

> If I select thawte Primary Root CA as trusted anchor the connection seems to be working.

Sounds correct. I also took a look at the certificate you send, and the
CA path seems to be correct. Your cert was signed by "Issuer: C=US,
O=Thawte, Inc., CN=Thawte SSL CA"

> The other problem is that not all client have that specific thawte certificate installed on their PC.

I think that thawte certificate is very common. It should be installed
in most systems.

> Do you think I should change certificate provider ? If so do you guys have any recommendation of which SSL provider I should use ?

I think your certificate provider should be common enough so that
changing would not be that useful. I can not name a provider that would
be better. There are many I would say are equally common, but I can not
name any that is considereably more common than the one you have.

> In windows 7, do you have to select a trusted root certification authorities or will it just work automatically if I use well known provider ? 

I do not remeber how windows 7 behaves if you have not chosen the CA. It
will probably at least show the certificate and prompt it should be
accepted.

Please consider that choosing the CA and naming the radius server can be
thought as a feature and should be done to make sure your client does
not end up sending its credentials to unknown, possibly hostile,
servers. It's a bit of work, but it need to be done only once per client.

> Regards,
> Rianto 

Best regards,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list