Hello, TLS_CAFile is for set of trusted CA. It works for me too. I need TLS_CertificateChainFile which is used for sending intermediate CA certificates to client and this causes troubles.
Jan On 04/16/2015 11:43 AM, Waßerroth, Stephan wrote: > Hi, > > This is our (working...) config for eduroam with RADSEC: > <ServerRADSEC> > Port 2083 > Protocol tcp > Secret whatever... > UseTLS > TLS_CAFile %D/RADSEC-PKI-CA_chain.pem > TLS_CertificateFile %D/server.pem > TLS_CertificateType PEM > TLS_PrivateKeyFile %D/server.key > TLS_RequireClientCert > Identifier radsec > </ServerRADSEC> > > The file RADSEC-PKI-CA_chain.pem contains the whole CA-chain starting with > top CA cert working down... > > Hope, this helps... > > Best regards, > Stephan > > -- > Stephan Waßerroth > Head of Core IT-Services > Fraunhofer-Fokus | Kaiserin-Augusta-Allee 31 | D-10589 Berlin > e-mail: stephan.wasserr...@fokus.fraunhofer.de > > > >> -----Original Message----- >> From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] >> On Behalf Of Jan Tomasek >> Sent: Thursday, April 16, 2015 11:32 AM >> To: radiator@open.com.au >> Subject: [RADIATOR] TLS_CertificateChainFile within ServerRADSEC not >> working? >> >> Hello, >> >> I'm trying configure ServerRADSEC to sent certificate chain but it wont >> work :( >> >> <ServerRADSEC> >> Secret mysecret >> BindAddress ::,0.0.0.0 >> >> UseTLS >> TLS_CAFile /etc/radiator/trusted-CA.pem >> TLS_CertificateType PEM >> TLS_CertificateFile /etc/ssl/certs/eduroom.cesnet.cz.crt >> TLS_PrivateKeyFile /etc/ssl/private/eduroom.cesnet.cz.key >> TLS_CertificateChainFile /etc/ssl/certs/TERENA_SSL_CA_2.pem >> >> >> root@eduroom:/var/log/arch/radiator# cat >> /etc/ssl/certs/TERENA_SSL_CA_2.pem >> -----BEGIN CERTIFICATE----- >> -----END CERTIFICATE----- >> >> when client connects Radiator print: >> >>> Thu Apr 16 11:29:29 2015: DEBUG: Stream connected to >> 2001:718:1:6:ea94:f6ff:fe33:651e:60211 >>> Thu Apr 16 11:29:29 2015: DEBUG: StreamTLS sessionInit for >> 2001:718:1:6:ea94:f6ff:fe33:651e >>> Thu Apr 16 11:29:29 2015: ERR: StreamTLS could not create SSL: >> Net::SSLeay::new failed: 17482: 1 - error:140BA0C3:SSL >> routines:SSL_new:null ssl ctx >>> ,Inappropriate ioctl for device >>> Thu Apr 16 11:29:29 2015: DEBUG: New StreamServer Connection created for >> 2001:718:1:6:ea94:f6ff:fe33:651e:60211 >>> Thu Apr 16 11:29:29 2015: DEBUG: Stream connected to >> 2001:718:e:0:ea94:f6ff:fe3f:68d8:32903 >>> Thu Apr 16 11:29:29 2015: DEBUG: StreamTLS sessionInit for >> 2001:718:e:0:ea94:f6ff:fe3f:68d8 >>> Thu Apr 16 11:29:29 2015: ERR: StreamTLS could not create SSL: >> Net::SSLeay::new failed: 17482: 1 - error:140BA0C3:SSL >> routines:SSL_new:null ssl ctx >>> ,Inappropriate ioctl for device >>> Thu Apr 16 11:29:29 2015: DEBUG: New StreamServer Connection created for >> 2001:718:e:0:ea94:f6ff:fe3f:68d8:32903 >>> Thu Apr 16 11:29:30 2015: DEBUG: Stream connected to >> 195.113.187.22:46764 >>> Thu Apr 16 11:29:30 2015: DEBUG: StreamTLS sessionInit for >> 195.113.187.22 >>> Thu Apr 16 11:29:30 2015: ERR: StreamTLS could not create SSL: >> Net::SSLeay::new failed: 17482: 1 - error:140BA0C3:SSL >> routines:SSL_new:null ssl ctx >>> ,Inappropriate ioctl for device >> >> Without TLS_CertificateChainFile everything works fine. >> >> Thanks for any help >> -- >> ----------------------- >> Jan Tomasek aka Semik >> http://www.tomasek.cz/ >> _______________________________________________ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator -- ----------------------- Jan Tomasek aka Semik http://www.tomasek.cz/ _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
