Commit
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -163,26 +163,32 @@ eap { | |
# you want. | ||
# | ||
tls-config tls-common { | ||
private_key_password = whatever | ||
private_key_file = ${certdir}/server.pem | ||
|
||
# | ||
# If Private key & Certificate are located in the same file, | ||
# then private_key_file & certificate_file must contain the | ||
# same file name. | ||
# | ||
# If ca_file (below) is not used, then the certificate_file | ||
# below MUST include not only the server certificate, but ALSO | ||
# all of the CA certificates used to sign the server | ||
# certificate. | ||
# | ||
# Any certificate chain MUST be in order from server | ||
# certificate (first in the file) to intermediaries (second) to | ||
# root CA (last in the file) as per RFC 4346 (see | ||
# certificate_list | ||
# http://tools.ietf.org/html/rfc4346#section-7.4.2 ) | ||
# Multiple certificate sections may be specified to support | ||
# crypto agility with different key types. | ||
# | ||
certificate_file = ${certdir}/server.pem | ||
certificate { | ||
private_key_password = whatever | ||
private_key_file = ${certdir}/server.key | ||
|
||
# | ||
# If Private key & Certificate are located in the same file, | ||
# then private_key_file & certificate_file must contain the | ||
# same file name. | ||
# | ||
# If ca_file (below) is not used, then the certificate_file | ||
# below MUST include not only the server certificate, but ALSO | ||
# all of the CA certificates used to sign the server | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
arr2036
Author
Member
|
||
# certificate. | ||
# | ||
# Any certificate chain MUST be in order from server | ||
# certificate (first in the file) to intermediaries (second) to | ||
# root CA (last in the file) as per RFC 4346 (see | ||
# certificate_list | ||
# http://tools.ietf.org/html/rfc4346#section-7.4.2 ) | ||
# | ||
certificate_file = ${certdir}/server.pem | ||
} | ||
|
||
# | ||
# Server certificate may also be specified at runtime on a per | ||
|
It really SHOULD NOT contain the root CA though. Only intermediates. If the root is in the file, it will be sent in the EAP exchange which is superfluous (the client has authoritative info which root to trust, and has a copy - if it doesn't, it also doesn't add security to "helpfully" deliver a trust root by the one who wants to be trusted).
This is also in big red letters (well... imaginary, since RFC doesn't have any markup ;-) in the EAP-TLS 1.3 RFC. And that advice has been valid ever since, not just with the introduction of 1.3.