For our PEAP and TTLS EAP methods, we don't use client certificates, so we'd like to avoid specifying an EAPTLS_CAFile (or CAPath) setting altogether. But if I omit it (or try something nefarious like EAPTLS_CAFile /dev/null), auth always fails with the error:
ERR: TLS could not load_verify_locations , : or ERR: TLS could not load_verify_locations /dev/null, : Additionally, we are seeing the root certificate from the EAPTLS_CAFile added to the certificate chain sent to the client during TLS negotiation. This is expected behavior if you use EAPTLS_CertificateFile (it's essentially openssl filling out the chain for you), but we are using EAPTLS_CertificateChainFile, which should not do so. We first noticed it because we had inadvertently left the root CA in the cert chain loaded with CertificateChainFile, and clients were getting the (unnecessary) root CA *twice*. We fixed that, so now it's down to one, but we'd still like to get it down to zero :) This is on Radiator 4.14, Net::SSLeay 1.35, openssl 1.0.1e+patches (RHEL6). Any ideas? I might try putting in a newer Net::SSLeay version in case it's fixed there... -- %% Christopher A. Bongaarts %% c...@umn.edu %% %% OIT - Identity Management %% http://umn.edu/~cab %% %% University of Minnesota %% +1 (612) 625-1809 %% _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
