[RADIATOR] How to not set EAPTLS_CAFile (radiator Digest, Vol 82, Issue 5)

David Zych dmrz at illinois.edu
Thu Mar 10 13:13:05 CST 2016


On 03/09/2016 12:58 PM, Christopher Bongaarts wrote:
> Additionally, we are seeing the root certificate from the EAPTLS_CAFile
> added to the certificate chain sent to the client during TLS
> negotiation.  This is expected behavior if you use
> EAPTLS_CertificateFile (it's essentially openssl filling out the chain
> for you), but we are using EAPTLS_CertificateChainFile, which should not
> do so.  We first noticed it because we had inadvertently left the root
> CA in the cert chain loaded with CertificateChainFile, and clients were
> getting the (unnecessary) root CA *twice*.  We fixed that, so now it's
> down to one, but we'd still like to get it down to zero :)

Setting EAPTLS_CAPath instead has worked fine for me (it's irrelevant,
but doesn't hurt anything).

  EAPTLS_CertificateType PEM
  EAPTLS_CertificateChainFile %D/ssl/xxx.chain.pem
  EAPTLS_PrivateKeyFile %D/ssl/xxx.key
  # CAPath is irrelevant, but radiator won't load without it
  EAPTLS_CAPath %D/ssl


-- 
David Zych
Lead Network Service Engineer
University of Illinois Technology Services


More information about the radiator mailing list