eapol_test tool against other servers than freeradius

Jouni Malinen j at w1.fi
Wed Jun 18 04:31:15 EDT 2008


On Wed, Jun 18, 2008 at 09:48:08AM +0200, Dana Blanaru wrote:

> I am going to look into the errors generated by my server. But first I need
> to be sure that certificates are ok on both sides.

> But you confused me with something. You said that I don't need to set a
> server certificate for the client. But EAP-TLS requires both client and
> server certificates. On the freeradius for example i have specified the path
> of the server certificate in eap.conf file - tls module. So I guess
> eapol_test is looking after the server certificate in the case of EAP-TLS,
> right?

EAP-TLS requires that both the client and the server have a private
key and matching certificate. However, it does not require that client
would know the server certificate or vice versa prior to the TLS
handshake. Both the client and server are also configured with a trusted
CA certificate (and immediate CAs between the root CA and their own
certificate, if used). Rest of the certificates are exchanged during the
TLS handshake.

In other words, the client has to be configured with a client private
key, a client certificate, and the trusted CA certificate. The server
has to be configured with a server private key, a server certificate,
and the trusted CA certificate.

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list