[RADIATOR] How to not set EAPTLS_CAFile

[Christopher Bongaarts]

For our PEAP and TTLS EAP methods, we don't use client certificates, so 
we'd like to avoid specifying an EAPTLS_CAFile (or CAPath) setting 
altogether.  But if I omit it (or try something nefarious like 
EAPTLS_CAFile /dev/null), auth always fails with the error:

ERR: TLS could not load_verify_locations , :
or
ERR: TLS could not load_verify_locations /dev/null, :

Additionally, we are seeing the root certificate from the EAPTLS_CAFile 
added to the certificate chain sent to the client during TLS 
negotiation.  This is expected behavior if you use 
EAPTLS_CertificateFile (it's essentially openssl filling out the chain 
for you), but we are using EAPTLS_CertificateChainFile, which should not 
do so.  We first noticed it because we had inadvertently left the root 
CA in the cert chain loaded with CertificateChainFile, and clients were 
getting the (unnecessary) root CA *twice*.  We fixed that, so now it's 
down to one, but we'd still like to get it down to zero :)

This is on Radiator 4.14, Net::SSLeay 1.35, openssl 1.0.1e+patches 
(RHEL6).  Any ideas?  I might try putting in a newer Net::SSLeay version 
in case it's fixed there...

-- 
%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%