How can I see the TLS (SSL) certificates that my RADIUS server is using, to make sure it is sending the correct certificate and chain?
I am implementing 802.1x authentication with a RADIUS server, but I have certificate acceptance problems on some supplicants (clients). I would like to see the certificates sent by the server in an easy way, similar to how you use openssl s_client to debug TCP TLS traffic.
You can use
eapol_test, which is part of thewpa_supplicantpackage. You need to download the source code and compile it withmake eapol_test(it's not built by default). It should work at least on Linux, Windows and Mac OS X (not advertised as much, but I could compile and use it on the latter).You create a configuration file (some examples here, but I could not find an overview of all options, I think
src/eap_peer/eap_config.hcontains some), and then run the tool:In all the output you should see the TLS certificate pass by, but you can also dump them to a file by passing the
-ooption:If you specify the
ca_certoption in the configuration file, the program will also do a verification of the sent chain, and you see the verification result in the output of the program (not in the file with dumped certificates).Afterwards, you can also use the
rad_eap_testwrapper, which returns a status output compatible with Nagios.