[RADIATOR] Trust client certificates of a specific issuing CA
Philip Brusten
philip.brusten at kuleuven.be
Wed May 24 10:28:14 UTC 2017
On 5/05/2017 10:58, Heikki Vatiainen wrote:
> On 21.4.2017 17.11, Philip Brusten wrote:
>
>> OpenSSL added a new feature in 1.0.2 to accept a partial chain.
>>
>> It can be set using this flag X509_V_FLAG_PARTIAL_CHAIN which you
>> could set using the Net::SSLeay::X509_STORE_set_flags
>>
>> Perhaps you could make a EAPTLS-setting for this flag in Radiator?
>
> Getting back to this, yes that's a good idea. We'll take a look at
> adding it. That was my intention too, I just did not acknowledge it
> until now.
>
> Meanwhile, here's I found something that might be of interest for you
> in case you are interested in tweaking certs:
>
> https://security.stackexchange.com/questions/17391/can-an-intermediate-ca-be-trusted-like-a-self-signed-root-ca
>
>
> The idea in the best answer is to modify the intermediate CA to look
> like a root CA or alternatively use your own root CA to create a
> modified chain.
Hmm, sounds like a dirty workaround. I think it's better to wait for the
X509_V_FLAG_PARTIAL_CHAIN flag in the RADIATOR software. Since we force
a CRL-check, certificates from other intermediate CA's won't be trusted
because of this.
We will be happy to test this for you if you have a patch.
Regards,
Philip
More information about the radiator
mailing list