On 03/09/2016 12:58 PM, Christopher Bongaarts wrote: > Additionally, we are seeing the root certificate from the EAPTLS_CAFile > added to the certificate chain sent to the client during TLS > negotiation. This is expected behavior if you use > EAPTLS_CertificateFile (it's essentially openssl filling out the chain > for you), but we are using EAPTLS_CertificateChainFile, which should not > do so. We first noticed it because we had inadvertently left the root > CA in the cert chain loaded with CertificateChainFile, and clients were > getting the (unnecessary) root CA *twice*. We fixed that, so now it's > down to one, but we'd still like to get it down to zero :)
Setting EAPTLS_CAPath instead has worked fine for me (it's irrelevant, but doesn't hurt anything). EAPTLS_CertificateType PEM EAPTLS_CertificateChainFile %D/ssl/xxx.chain.pem EAPTLS_PrivateKeyFile %D/ssl/xxx.key # CAPath is irrelevant, but radiator won't load without it EAPTLS_CAPath %D/ssl -- David Zych Lead Network Service Engineer University of Illinois Technology Services _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
