*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*
* Copyright 2001 hereUare Communications, Inc. <raghud@hereuare.com>
* Copyright 2003 Alan DeKok <aland@freeradius.org>
*/
-#include "autoconf.h"
+#include <freeradius-devel/autoconf.h>
#include "eap_tls.h"
#ifdef HAVE_OPENSSL_RAND_H
offsetof(EAP_TLS_CONF, dh_key_length), NULL, "512" },
{ "verify_depth", PW_TYPE_INTEGER,
offsetof(EAP_TLS_CONF, verify_depth), NULL, "0" },
- { "CA_path", PW_TYPE_STRING_PTR,
+ { "CA_path", PW_TYPE_FILENAME,
offsetof(EAP_TLS_CONF, ca_path), NULL, NULL },
{ "pem_file_type", PW_TYPE_BOOLEAN,
offsetof(EAP_TLS_CONF, file_type), NULL, "yes" },
- { "private_key_file", PW_TYPE_STRING_PTR,
+ { "private_key_file", PW_TYPE_FILENAME,
offsetof(EAP_TLS_CONF, private_key_file), NULL, NULL },
- { "certificate_file", PW_TYPE_STRING_PTR,
+ { "certificate_file", PW_TYPE_FILENAME,
offsetof(EAP_TLS_CONF, certificate_file), NULL, NULL },
- { "CA_file", PW_TYPE_STRING_PTR,
+ { "CA_file", PW_TYPE_FILENAME,
offsetof(EAP_TLS_CONF, ca_file), NULL, NULL },
{ "private_key_password", PW_TYPE_STRING_PTR,
offsetof(EAP_TLS_CONF, private_key_password), NULL, NULL },
type = SSL_FILETYPE_ASN1;
}
- /* Load the CAs we trust */
- if (!SSL_CTX_load_verify_locations(ctx, conf->ca_file, conf->ca_path)) {
- ERR_print_errors_fp(stderr);
- radlog(L_ERR, "rlm_eap_tls: Error reading Trusted root CA list");
- return NULL;
- }
- SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
-
/*
* Set the password to load private key
*/
SSL_CTX_set_default_passwd_cb(ctx, cbtls_password);
}
- /* Load our keys and certificates*/
- if (!(SSL_CTX_use_certificate_file(ctx, conf->certificate_file, type))) {
+ /*
+ * Load our keys and certificates
+ *
+ * If certificates are of type PEM then we can make use
+ * of cert chain authentication using openssl api call
+ * SSL_CTX_use_certificate_chain_file. Please see how
+ * the cert chain needs to be given in PEM from
+ * openSSL.org
+ */
+ if (type == SSL_FILETYPE_PEM) {
+ radlog(L_INFO, "rlm_eap_tls: Loading the certificate file as a chain");
+ if (!(SSL_CTX_use_certificate_chain_file(ctx, conf->certificate_file))) {
+ ERR_print_errors_fp(stderr);
+ radlog(L_ERR, "rlm_eap_tls: Error reading certificate file");
+ return NULL;
+ }
+
+ } else if (!(SSL_CTX_use_certificate_file(ctx, conf->certificate_file, type))) {
ERR_print_errors_fp(stderr);
radlog(L_ERR, "rlm_eap_tls: Error reading certificate file");
return NULL;
}
+
+ /* Load the CAs we trust */
+ if (!SSL_CTX_load_verify_locations(ctx, conf->ca_file, conf->ca_path)) {
+ ERR_print_errors_fp(stderr);
+ radlog(L_ERR, "rlm_eap_tls: Error reading Trusted root CA list");
+ return NULL;
+ }
+ SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
+
if (!(SSL_CTX_use_PrivateKey_file(ctx, conf->private_key_file, type))) {
ERR_print_errors_fp(stderr);
radlog(L_ERR, "rlm_eap_tls: Error reading private key file");