FreeRadius EAP-TLS quesitons

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

FreeRadius EAP-TLS quesitons

Hamid Salim
Hello,
Two part question:
1. Is it critical to have certificates, dh and random files in
etc/raddb/certs directory for eap-tls to work.
2. Is it ok to generate random file as date > random

thanks a lot.
Hamid.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius EAP-TLS quesitons

Kris Benson
FreeRadius users mailing list <[hidden email]> on
August 9, 2005 at 10:54 -0800 wrote:
>Hello,
>Two part question:
>1. Is it critical to have certificates, dh and random files in
>etc/raddb/certs directory for eap-tls to work.
>2. Is it ok to generate random file as date > random

1. Yes, sort of.  You can put it in a different directory if you change
the eap.conf entries.

2. No. This is the correct way:

To generate the dh file you can use a function that comes with openssl

openssl dhparam -check -text -5 512 -out dh

This will generate a 512 Diffie-Hellman key named dh.
Move this file to /etc/mycerts/

mv dh /etc/mycerts/.

To generate a random file you will need a short C program using openssl
libraries.  Paste this text into a file named 'random.c':
----8< cut---
#include <stdio.h>
#include <openssl/rand.h>

main (void) {
unsigned char buf[100];
if (!RAND_bytes(buf, 100)) {
// the usual md5(time+pid)
}
printf("Random : %s\n", buf);
}
----8< cut---

Compile it like this: gcc random.c -o random -lcrypto

I will generate 32-bit LSB executable named random, try it with ./random.

Move this file to /etc/mycerts/:
mv random /etc/mycerts/.

-kb
--
Kris Benson, CCP, I.S.P.
Technical Analyst, District Projects
School District #57 (Prince George)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius EAP-TLS quesitons

Steven Simon
In reply to this post by Hamid Salim
When generating the random file, you can also do:
openssl rand -out /etc/raddb/certs/random 100

Steve


On Aug 9, 2005, at 3:16 PM, [hidden email] wrote:

From: Kris Benson <[hidden email]>

Date: August 9, 2005 11:18:10 AM PDT

To: FreeRadius users mailing list <[hidden email]>

Cc: [hidden email]

Subject: Re: FreeRadius EAP-TLS quesitons

Reply-To: FreeRadius users mailing list <[hidden email]>



FreeRadius users mailing list <[hidden email]> on

August 9, 2005 at 10:54 -0800 wrote:


Hello,

Two part question:

1. Is it critical to have certificates, dh and random files in 

etc/raddb/certs directory for eap-tls to work.

2. Is it ok to generate random file as date > random



1. Yes, sort of.  You can put it in a different directory if you change

the eap.conf entries.


2. No. This is the correct way:


To generate the dh file you can use a function that comes with openssl


openssl dhparam -check -text -5 512 -out dh


This will generate a 512 Diffie-Hellman key named dh.

Move this file to /etc/mycerts/


mv dh /etc/mycerts/.


To generate a random file you will need a short C program using openssl

libraries.  Paste this text into a file named 'random.c':

----8< cut---

#include <stdio.h>

#include <openssl/rand.h>


main (void) {

unsigned char buf[100];

if (!RAND_bytes(buf, 100)) {

// the usual md5(time+pid)

}

printf("Random : %s\n", buf);

}

----8< cut---


Compile it like this: gcc random.c -o random -lcrypto


I will generate 32-bit LSB executable named random, try it with ./random.


Move this file to /etc/mycerts/:

mv random /etc/mycerts/.


-kb

--

Kris Benson, CCP, I.S.P.

Technical Analyst, District Projects

School District #57 (Prince George)





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius EAP-TLS quesitons

Kris Benson
FreeRadius users mailing list <[hidden email]> on
August 10, 2005 at 10:50 -0800 wrote:
>When generating the random file, you can also do:
>openssl rand -out /etc/raddb/certs/random 100

You could, but then it would be the same random numbers every time its
loaded... with this you get different random numbers every time.

-kb
--
Kris Benson, CCP, I.S.P.
Technical Analyst, District Projects
School District #57 (Prince George)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html