[RADIATOR] TLS_CertificateChainFile within ServerRADSEC not working?

Waßerroth, Stephan stephan.wasserroth at fokus.fraunhofer.de
Thu Apr 16 04:43:57 CDT 2015 

Hi,

This is our (working...) config for eduroam with RADSEC:
<ServerRADSEC>
        Port            2083
        Protocol        tcp
        Secret          whatever...
        UseTLS
        TLS_CAFile              %D/RADSEC-PKI-CA_chain.pem
        TLS_CertificateFile     %D/server.pem	
        TLS_CertificateType     PEM
        TLS_PrivateKeyFile      %D/server.key
        TLS_RequireClientCert
        Identifier      radsec
</ServerRADSEC>

The file RADSEC-PKI-CA_chain.pem contains the whole CA-chain starting with top CA cert working down...

Hope, this helps...

Best regards,
Stephan

--
   Stephan Waßerroth
Head of Core IT-Services
Fraunhofer-Fokus | Kaiserin-Augusta-Allee 31 | D-10589 Berlin
e-mail: stephan.wasserroth at fokus.fraunhofer.de



> -----Original Message-----
> From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au]
> On Behalf Of Jan Tomasek
> Sent: Thursday, April 16, 2015 11:32 AM
> To: radiator at open.com.au
> Subject: [RADIATOR] TLS_CertificateChainFile within ServerRADSEC not
> working?
> 
> Hello,
> 
> I'm trying configure ServerRADSEC to sent certificate chain but it wont
> work :(
> 
> <ServerRADSEC>
>          Secret 			mysecret
> 	BindAddress		::,0.0.0.0
> 
>          UseTLS
>          TLS_CAFile		/etc/radiator/trusted-CA.pem
>          TLS_CertificateType	PEM
>          TLS_CertificateFile	/etc/ssl/certs/eduroom.cesnet.cz.crt
>          TLS_PrivateKeyFile 	/etc/ssl/private/eduroom.cesnet.cz.key
> 	TLS_CertificateChainFile /etc/ssl/certs/TERENA_SSL_CA_2.pem
> 
> 
> root at eduroom:/var/log/arch/radiator# cat
> /etc/ssl/certs/TERENA_SSL_CA_2.pem
> -----BEGIN CERTIFICATE-----
> -----END CERTIFICATE-----
> 
> when client connects Radiator print:
> 
> > Thu Apr 16 11:29:29 2015: DEBUG: Stream connected to
> 2001:718:1:6:ea94:f6ff:fe33:651e:60211
> > Thu Apr 16 11:29:29 2015: DEBUG: StreamTLS sessionInit for
> 2001:718:1:6:ea94:f6ff:fe33:651e
> > Thu Apr 16 11:29:29 2015: ERR: StreamTLS could not create SSL:
> Net::SSLeay::new failed:  17482: 1 - error:140BA0C3:SSL
> routines:SSL_new:null ssl ctx
> > ,Inappropriate ioctl for device
> > Thu Apr 16 11:29:29 2015: DEBUG: New StreamServer Connection created for
> 2001:718:1:6:ea94:f6ff:fe33:651e:60211
> > Thu Apr 16 11:29:29 2015: DEBUG: Stream connected to
> 2001:718:e:0:ea94:f6ff:fe3f:68d8:32903
> > Thu Apr 16 11:29:29 2015: DEBUG: StreamTLS sessionInit for
> 2001:718:e:0:ea94:f6ff:fe3f:68d8
> > Thu Apr 16 11:29:29 2015: ERR: StreamTLS could not create SSL:
> Net::SSLeay::new failed:  17482: 1 - error:140BA0C3:SSL
> routines:SSL_new:null ssl ctx
> > ,Inappropriate ioctl for device
> > Thu Apr 16 11:29:29 2015: DEBUG: New StreamServer Connection created for
> 2001:718:e:0:ea94:f6ff:fe3f:68d8:32903
> > Thu Apr 16 11:29:30 2015: DEBUG: Stream connected to
> 195.113.187.22:46764
> > Thu Apr 16 11:29:30 2015: DEBUG: StreamTLS sessionInit for
> 195.113.187.22
> > Thu Apr 16 11:29:30 2015: ERR: StreamTLS could not create SSL:
> Net::SSLeay::new failed:  17482: 1 - error:140BA0C3:SSL
> routines:SSL_new:null ssl ctx
> > ,Inappropriate ioctl for device
> 
> Without TLS_CertificateChainFile everything works fine.
> 
> Thanks for any help
> --
> -----------------------
> Jan Tomasek aka Semik
> http://www.tomasek.cz/
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

More information about the radiator mailing list