[RADIATOR] Trust client certificates of a specific issuing CA
Heikki Vatiainen
hvn at open.com.au
Fri May 5 08:58:05 UTC 2017
On 21.4.2017 17.11, Philip Brusten wrote:
> OpenSSL added a new feature in 1.0.2 to accept a partial chain.
>
> It can be set using this flag X509_V_FLAG_PARTIAL_CHAIN which you could
> set using the Net::SSLeay::X509_STORE_set_flags
>
> Perhaps you could make a EAPTLS-setting for this flag in Radiator?
Getting back to this, yes that's a good idea. We'll take a look at
adding it. That was my intention too, I just did not acknowledge it
until now.
Meanwhile, here's I found something that might be of interest for you in
case you are interested in tweaking certs:
https://security.stackexchange.com/questions/17391/can-an-intermediate-ca-be-trusted-like-a-self-signed-root-ca
The idea in the best answer is to modify the intermediate CA to look
like a root CA or alternatively use your own root CA to create a
modified chain.
Thanks for your suggestions and comments!
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list