[RADIATOR] TLS_CertificateChainFile within ServerRADSEC not working?
Jan Tomasek
jan at tomasek.cz
Thu Apr 16 05:33:42 CDT 2015
Hello,
TLS_CAFile is for set of trusted CA. It works for me too. I need
TLS_CertificateChainFile which is used for sending intermediate CA
certificates to client and this causes troubles.
Jan
On 04/16/2015 11:43 AM, Waßerroth, Stephan wrote:
> Hi,
>
> This is our (working...) config for eduroam with RADSEC:
> <ServerRADSEC>
> Port 2083
> Protocol tcp
> Secret whatever...
> UseTLS
> TLS_CAFile %D/RADSEC-PKI-CA_chain.pem
> TLS_CertificateFile %D/server.pem
> TLS_CertificateType PEM
> TLS_PrivateKeyFile %D/server.key
> TLS_RequireClientCert
> Identifier radsec
> </ServerRADSEC>
>
> The file RADSEC-PKI-CA_chain.pem contains the whole CA-chain starting with top CA cert working down...
>
> Hope, this helps...
>
> Best regards,
> Stephan
>
> --
> Stephan Waßerroth
> Head of Core IT-Services
> Fraunhofer-Fokus | Kaiserin-Augusta-Allee 31 | D-10589 Berlin
> e-mail: stephan.wasserroth at fokus.fraunhofer.de
>
>
>
>> -----Original Message-----
>> From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au]
>> On Behalf Of Jan Tomasek
>> Sent: Thursday, April 16, 2015 11:32 AM
>> To: radiator at open.com.au
>> Subject: [RADIATOR] TLS_CertificateChainFile within ServerRADSEC not
>> working?
>>
>> Hello,
>>
>> I'm trying configure ServerRADSEC to sent certificate chain but it wont
>> work :(
>>
>> <ServerRADSEC>
>> Secret mysecret
>> BindAddress ::,0.0.0.0
>>
>> UseTLS
>> TLS_CAFile /etc/radiator/trusted-CA.pem
>> TLS_CertificateType PEM
>> TLS_CertificateFile /etc/ssl/certs/eduroom.cesnet.cz.crt
>> TLS_PrivateKeyFile /etc/ssl/private/eduroom.cesnet.cz.key
>> TLS_CertificateChainFile /etc/ssl/certs/TERENA_SSL_CA_2.pem
>>
>>
>> root at eduroom:/var/log/arch/radiator# cat
>> /etc/ssl/certs/TERENA_SSL_CA_2.pem
>> -----BEGIN CERTIFICATE-----
>> -----END CERTIFICATE-----
>>
>> when client connects Radiator print:
>>
>>> Thu Apr 16 11:29:29 2015: DEBUG: Stream connected to
>> 2001:718:1:6:ea94:f6ff:fe33:651e:60211
>>> Thu Apr 16 11:29:29 2015: DEBUG: StreamTLS sessionInit for
>> 2001:718:1:6:ea94:f6ff:fe33:651e
>>> Thu Apr 16 11:29:29 2015: ERR: StreamTLS could not create SSL:
>> Net::SSLeay::new failed: 17482: 1 - error:140BA0C3:SSL
>> routines:SSL_new:null ssl ctx
>>> ,Inappropriate ioctl for device
>>> Thu Apr 16 11:29:29 2015: DEBUG: New StreamServer Connection created for
>> 2001:718:1:6:ea94:f6ff:fe33:651e:60211
>>> Thu Apr 16 11:29:29 2015: DEBUG: Stream connected to
>> 2001:718:e:0:ea94:f6ff:fe3f:68d8:32903
>>> Thu Apr 16 11:29:29 2015: DEBUG: StreamTLS sessionInit for
>> 2001:718:e:0:ea94:f6ff:fe3f:68d8
>>> Thu Apr 16 11:29:29 2015: ERR: StreamTLS could not create SSL:
>> Net::SSLeay::new failed: 17482: 1 - error:140BA0C3:SSL
>> routines:SSL_new:null ssl ctx
>>> ,Inappropriate ioctl for device
>>> Thu Apr 16 11:29:29 2015: DEBUG: New StreamServer Connection created for
>> 2001:718:e:0:ea94:f6ff:fe3f:68d8:32903
>>> Thu Apr 16 11:29:30 2015: DEBUG: Stream connected to
>> 195.113.187.22:46764
>>> Thu Apr 16 11:29:30 2015: DEBUG: StreamTLS sessionInit for
>> 195.113.187.22
>>> Thu Apr 16 11:29:30 2015: ERR: StreamTLS could not create SSL:
>> Net::SSLeay::new failed: 17482: 1 - error:140BA0C3:SSL
>> routines:SSL_new:null ssl ctx
>>> ,Inappropriate ioctl for device
>>
>> Without TLS_CertificateChainFile everything works fine.
>>
>> Thanks for any help
>> --
>> -----------------------
>> Jan Tomasek aka Semik
>> http://www.tomasek.cz/
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
More information about the radiator
mailing list