[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Freeradius and Android, TLS Internal Error
From: Matthew Newton via Freeradius-Users <freeradius-users () lists ! freeradius ! org>
Date: 2024-02-23 11:49:14
Message-ID: a7b503e7-b25f-47f4-a401-dc45405faa43 () freeradius ! org
[Download RAW message or body]
On 23/02/2024 11:01, Lorenzo Mirabella wrote:
> ca_file = ${cadir}/fullchain.pem
A separate point, do NOT add this line.
It is the root CA that FreeRADIUS will use to verify client
certificates. i.e. if a client comes along and tries to authenticate
with EAP-TLS and presents a certificate from that root, they will be
accepted.
Which means in your situation, anyone with a LetsEncrypt will be able to
authenticate. This is certainly not what you want.
For EAP-TLS, set it to a private root CA. For any other EAP type, leave
it unset.
--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic