[RADIATOR] How to not set EAPTLS_CAFile (radiator Digest, Vol 82, Issue 5)
David Zych
dmrz at illinois.edu
Thu Mar 10 13:13:05 CST 2016
On 03/09/2016 12:58 PM, Christopher Bongaarts wrote:
> Additionally, we are seeing the root certificate from the EAPTLS_CAFile
> added to the certificate chain sent to the client during TLS
> negotiation. This is expected behavior if you use
> EAPTLS_CertificateFile (it's essentially openssl filling out the chain
> for you), but we are using EAPTLS_CertificateChainFile, which should not
> do so. We first noticed it because we had inadvertently left the root
> CA in the cert chain loaded with CertificateChainFile, and clients were
> getting the (unnecessary) root CA *twice*. We fixed that, so now it's
> down to one, but we'd still like to get it down to zero :)
Setting EAPTLS_CAPath instead has worked fine for me (it's irrelevant,
but doesn't hurt anything).
EAPTLS_CertificateType PEM
EAPTLS_CertificateChainFile %D/ssl/xxx.chain.pem
EAPTLS_PrivateKeyFile %D/ssl/xxx.key
# CAPath is irrelevant, but radiator won't load without it
EAPTLS_CAPath %D/ssl
--
David Zych
Lead Network Service Engineer
University of Illinois Technology Services
More information about the radiator
mailing list