[RADIATOR] Trust client certificates of a specific issuing CA

Philip Brusten philip.brusten at kuleuven.be
Wed May 24 10:28:14 UTC 2017

On 5/05/2017 10:58, Heikki Vatiainen wrote:
> On 21.4.2017 17.11, Philip Brusten wrote:
>> OpenSSL added a new feature in 1.0.2 to accept a partial chain.
>> It can be set using this flag X509_V_FLAG_PARTIAL_CHAIN which you 
>> could set using the Net::SSLeay::X509_STORE_set_flags
>> Perhaps you could make a EAPTLS-setting for this flag in Radiator?
> Getting back to this, yes that's a good idea. We'll take a look at 
> adding it. That was my intention too, I just did not acknowledge it 
> until now.
> Meanwhile, here's I found something that might be of interest for you 
> in case you are interested in tweaking certs:
> https://security.stackexchange.com/questions/17391/can-an-intermediate-ca-be-trusted-like-a-self-signed-root-ca 
> The idea in the best answer is to modify the intermediate CA to look 
> like a root CA or alternatively use your own root CA to create a 
> modified chain.
Hmm, sounds like a dirty workaround. I think it's better to wait for the 
X509_V_FLAG_PARTIAL_CHAIN flag in the RADIATOR software. Since we force 
a CRL-check, certificates from other intermediate CA's won't be trusted 
because of this.

We will be happy to test this for you if you have a patch.


More information about the radiator mailing list