Well, I took the openssl-0.9.7 release initialy, it's no beta anymore :-) I tried an OpenSSL-snapshot this time,
and modified the FreeRadius 0.8.1 Makefile of rlm_eap_tls as you suggested.
In fact the important difference between your solution and mine is that you included -lcrypto in the final build (since it's in the Makefile),
and I only modified the configure script... Well, close, but not enough of course ;-)
Under FreeBSD I modified the configuration-script so that -lcrypto and -lssl are in the Makefile by default, and that works too.
Now that this part is working, I guess I still have a problem with my Certificates:
------------------------------------------------------------------------------------------
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: Request not found in the list
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
modcall[authenticate]: module "eap" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
TLS_accept: before/accept initialization
<<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
>>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
>>> TLS 1.0 Handshake [length 02cf], Certificate
TLS_accept: SSLv3 write certificate A
>>> TLS 1.0 Handshake [length 00ab], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
rlm_eap_tls: SSL_read Error
Error code is ..... 2
SSL Error ..... 2
modcall[authenticate]: module "eap" returns ok
------------------------------------------------------------------------------------------
And a bit later:
------------------------------------------------------------------------------------------
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: Request not found in the list
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
modcall[authenticate]: module "eap" returns invalid
modcall: group authenticate returns invalid
auth: Failed to validate the user.
------------------------------------------------------------------------------------------
Hmm, I'll try to create new certificates, maybe there is something wrong with the DN I supplied. The DN of the root is the hostname of the Radius server, as is the DN of the Radius-server certificate itself. The client just has the username as DN; the other parameters are kept the same.
If I get any problems on that, or if you know any possible cause of the error message above I'd love to hear.
Thank you,
Paul
Artur Hecker wrote:
hi,
you seem to use a version of openssl which is too old. you need openssl
0.9.7beta or newer. there seem to have some minor problem disturbing you
since you seem to know what you are doing. i can only say that it
definitely works with FR 0.8.1 and some newer openssl snapshot on
debian. you were just unlucky.
now, simply do the following:
- install the newest openssl development snapshot from their CVS in some
dir (/usr/local/openssl, e.g.)
- run configure script in your FR 0.8.1
- go to src/modules/rlm_eap/types/rlm_eap_tls and make manual changes to
the Makefile:
update the target, the pathes to the openssl libs
(/usr/local/openssl/...) and the LIBS variable. you are right, you have
to add -lcrypto, e.g. like this:
TARGET = rlm_eap_tls
SRCS = rlm_eap_tls.c eap_tls.c cb.c tls.c mppe_keys.c
RLM_CFLAGS = $(INCLTDL) -I../.. -I/usr/local/openssl/include
HEADERS = eap_tls.h
RLM_INSTALL =
RLM_INSTALL=
RLM_LDFLAGS += -L/usr/local/openssl/lib
RLM_LIBS += -lssl -lcrypto
$(STATIC_OBJS): $(HEADERS)
$(DYNAMIC_OBJS): $(HEADERS)
RLM_DIR=../../
include ${RLM_DIR}../rules.mak
now make and make install your freeradius. it should work now. if it
doesn't paste the error here. if it says it can't find some files,
please have a look which file (strace...) or make an ldd on the libs.
you DON'T need any configure options like static etc., at least not at a
standard newer debian machine.
ciao
artur
ps s. below
modcall: group authorize returns updatedyou can investigate here, this is not a real problem, take a look what's
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: processing type tls
/usr/libexec/ld-elf.so.1: /usr/local/lib/rlm_eap_tls-0.8.1.so: Undefined
symbol "SSL_set_msg_callback_arg"
I searched (with google) for this "symbol" and found two references to
this list, but couldn't get a working solution from there.
When I look at the libraries needed by rlm_eap_tls:
#ldd rlm_eap_tls-0.8.1.so
rlm_eap_tls-0.8.1.so:
libcrypto.so.3 => /usr/lib/libcrypto.so.3 (0x2812c000)
libc.so.4 => /usr/lib/libc.so.4 (0x28069000)
I see that it uses the correct and up-to-date versions of openssl:
#strings /usr/lib/libcrypto.so.3 | grep "0.9." | head -n 1
OpenSSL 0.9.7 31 Dec 2002
#strings /usr/lib/libssl.so | grep "0.9." | head -n 1
SSLv2 part of OpenSSL 0.9.7 31 Dec 2002
After some other attempts that failed I tried to install everything on a
Linux machine (Debian 3.0):
For building freeradius with EAP/TLS I had to modify the configure
script in the rlm_eap/types/rlm_eap_tls directory, so
I had to add "-lcrypto" for the New_SSL check -> LIBS="$LIBS -lssl
-lcrypto"
After building (which looked ok) I can't start radiusd at all:
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
rlm_eap: Failed to link EAP-Type/tls: file not found
radiusd.conf[572]: eap: Module instantiation failed.
wrong. which file isn't found???
--
_____________________________________________________________________
Artur Hecker Groupe Acc�s et Mobilit�
hecker[at]enst[dot]fr D�partement Informatique et R�seaux
+33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13
http://www.infres.enst.fr ENST Paris
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
