I've been getting mad with setting up Freeradius for EAP/TLS. Mainly the problems seem with OpenSSL.
My setup is:
* openssl-0.9.7a * freeradius-snapshot-20021028
I have the certificates generated now and checked with ./CA.sh -verify <cert>.pem and the verification exited with OK. So me concluded it's time to proceed!
I proceeded to run the radius server using this little script from Raymond McKay (http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm#6):
#!/bin/sh -x
LD_LIBRARY_PATH=/usr/local/openssl/lib
LD_PRELOAD=/usr/local/openssl/lib/libcrypto.soexport LD_LIBRARY_PATH LD_PRELOAD
/usr/local/radius/sbin/radiusd $@
And I made sure to change the openssl path to my openssl-0.9.7a directory.
The following errors issue when the script is run. The full output of the script is attached:
tls: include_length = yes
10322:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: CERTIFICATE
10322:error:06065064:digital envelope
routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:438:
10322:error:0906A065:PEM routines:PEM_do_header:bad
decrypt:pem_lib.c:421:
10322:error:140B0009:SSL
routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:707:
rlm_eap_tls: Error reading private key file
rlm_eap: Failed to initialize the type tls
radiusd.conf[538]: eap: Module instantiation failed.Why does it say it can't find the "start line"? What is it expecting that I don't have.
Sorry for the attachments, thought it is better to provide all data at once. Also included are my certificates (alex.pem is my server certificate)
Thank you
Bag Attributes
localKeyID: 87 5F 26 2A 5A E8 11 3D DB 45 8B 36 9A 9D B2 83 9C AF A0 18
subject=/C=DE/ST=Baden-W\xFCrttemburg/L=Stuttgart/O=IWN GmbH/OU=Wireless
Wireless/CN=AC/[EMAIL PROTECTED]
issuer=/C=DE/ST=Baden-W\xFCrttemburg/O=Wapsol GmbH/OU=Wireless Security/CN=Ashant
Chalasani/[EMAIL PROTECTED]
-----BEGIN CERTIFICATE-----
MIICwDCCAimgAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBmTELMAkGA1UEBhMCREUx
GjAYBgNVBAgUEUJhZGVuLVf8cnR0ZW1idXJnMRQwEgYDVQQKEwtXYXBzb2wgR21i
SDEaMBgGA1UECxMRV2lyZWxlc3MgU2VjdXJpdHkxGTAXBgNVBAMTEEFzaGFudCBD
aGFsYXNhbmkxITAfBgkqhkiG9w0BCQEWEndpcmVsZXNzQHdhcHNvbC5kZTAeFw0w
MzAzMjYyMDM0NTFaFw0wNDAzMjUyMDM0NTFaMIGYMQswCQYDVQQGEwJERTEaMBgG
A1UECBQRQmFkZW4tV/xydHRlbWJ1cmcxEjAQBgNVBAcTCVN0dXR0Z2FydDERMA8G
A1UEChMISVdOIEdtYkgxGjAYBgNVBAsTEVdpcmVsZXNzIFdpcmVsZXNzMQswCQYD
VQQDEwJBQzEdMBsGCSqGSIb3DQEJARYOaW5mb0B3YXBzb2wuZGUwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBANA713Tt7UctliUPo2v06AJH3csOggWdvX3ba8YF
TfyDjOsYUpDVvAXWNVytfYnh4XjOVP22f8gECXxs1iyGoLHchbwG7XHXFvQZ7gtW
ldgksf5ElsyMZABGpI3feKTSUg2tAZHqYMeCiqngjZcE5BIO8Tmz2GrK/wZNOHjR
GWtHAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBAUA
A4GBAGPyeYj36ZrnlIauxEhowBGjdI9S3G2RUEGlUabwSGUnDaJX3sE0RJJfkK9/
t2EW8Xg538z35LVjmEt4j+d3HXRlMYxYPFKWMpj+dzk3l3MgxRxCMvog98Zua3vW
GPKIDh/EC6v8Pe1eUj19/RvMXHA18ULExE30UrfNm8cCp/65
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 87 5F 26 2A 5A E8 11 3D DB 45 8B 36 9A 9D B2 83 9C AF A0 18
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,53EFE8A9390E8D59tLobxLBnzmvyiOVSVHMtOTpIlpZZUYMQ8I29J4HVyS5GJvDY7wCXbNnwprmNO2yu KYIip7nGnZ53sqOgnGKQchNrNfeh2d3XeSPg6vPAsohTbFdxe7qcX6GNg0ypjhem Hs8G9ioew5Lx235e0aupSsH5Bnkxml5reyQBs+VwsfBI0mRdSCgP/GvethuT/+IT UIHZrYoKs2CC32XPOqQsFTODtb/NcX0kV4W4L3sXythDGwbWUNzQmElxO8zLrpAM eCaWdCICLR8/3Hgb6X+qXxyF+gSwdvETMd9ELGSVaRiA+SOP4YphTRGaBgh8gGcC aebTrATopZuYsXDnWyJuLRf+seNppCjNtyFWlEboOz0/7y59Ah/NoVA8anSkHvww iF/A4rkXRGaBjEsEIOh1zEASoUvud6N9Qr7VvrJWJrgBkAG0twqQPJMfGZ/0K46X 4n3e4zYYm3pNzK0r6kTDUkxPDJ6DRs73D/38xCy9N1AEYKRw0V3W0d4hhdspkQUm 0pL2gfyaSLDv9NGkDPJA20vF9exNqkDe1yosCpd/YVdsDwVLkn3iez6gP3isAByq MHevACTEtcijsWqsFEYorNm2sxXWIzsW3YxQ4Zt9gOWZcCE9Q3rrj8Fq56ncaVCC piZ6ZWkaMg1p47W/iux1aH82KIvybB9dKpDIMh3tI2ppJwnv3G4k/hPGdhJ0eeen 5/aPTSMcJz0GvxCYTjTWuwsugh5OvVo3x61MghYKTdOyMZzPDEPjRWh5HwgTVO4i zYSuHUHcBy0F2HVCB4hDfbXy0xFY3CAt2cO2rSHVvbq4rB2S2EzZlw== -----END RSA PRIVATE KEY-----
Bag Attributes
localKeyID: 3F AB 63 0F CF 86 62 14 6E 5B E6 C7 62 C2 DA EE 74 F9 D9 7C
subject=/C=DE/ST=Baden-W\xFCrttemburg/O=Wapsol GmbH/OU=Wireless Security/CN=Ashant
Chalasani/[EMAIL PROTECTED]
issuer=/C=DE/ST=Baden-W\xFCrttemburg/O=Wapsol GmbH/OU=Wireless Security/CN=Ashant
Chalasani/[EMAIL PROTECTED]
-----BEGIN CERTIFICATE-----
MIIDpDCCAw2gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmTELMAkGA1UEBhMCREUx
GjAYBgNVBAgUEUJhZGVuLVf8cnR0ZW1idXJnMRQwEgYDVQQKEwtXYXBzb2wgR21i
SDEaMBgGA1UECxMRV2lyZWxlc3MgU2VjdXJpdHkxGTAXBgNVBAMTEEFzaGFudCBD
aGFsYXNhbmkxITAfBgkqhkiG9w0BCQEWEndpcmVsZXNzQHdhcHNvbC5kZTAeFw0w
MzAzMjYxOTE0MTRaFw0wMzA0MjUxOTE0MTRaMIGZMQswCQYDVQQGEwJERTEaMBgG
A1UECBQRQmFkZW4tV/xydHRlbWJ1cmcxFDASBgNVBAoTC1dhcHNvbCBHbWJIMRow
GAYDVQQLExFXaXJlbGVzcyBTZWN1cml0eTEZMBcGA1UEAxMQQXNoYW50IENoYWxh
c2FuaTEhMB8GCSqGSIb3DQEJARYSd2lyZWxlc3NAd2Fwc29sLmRlMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQDTbyFqVymngzyMPyiuQc3LctH8UgYlSnhBdX0o
Cj7UH3DW6pbGTj2RLt0DrGPtaw4VA1h/Q1JG+r2KxHFLVqf7yEPeJWOkdBK+4RWQ
bHCfUGTSeGRcdl/47V82SVIRBEaoVAdr//LpI2hFpHvTQG1Tm61VGm7M8okSYt+q
yRkDbQIDAQABo4H5MIH2MB0GA1UdDgQWBBR9d/gJX0hF0FXR7DkD/9tM3mDQejCB
xgYDVR0jBIG+MIG7gBR9d/gJX0hF0FXR7DkD/9tM3mDQeqGBn6SBnDCBmTELMAkG
A1UEBhMCREUxGjAYBgNVBAgUEUJhZGVuLVf8cnR0ZW1idXJnMRQwEgYDVQQKEwtX
YXBzb2wgR21iSDEaMBgGA1UECxMRV2lyZWxlc3MgU2VjdXJpdHkxGTAXBgNVBAMT
EEFzaGFudCBDaGFsYXNhbmkxITAfBgkqhkiG9w0BCQEWEndpcmVsZXNzQHdhcHNv
bC5kZYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBALlGrrY5SqiA
NEodNu4TLR5+V03v81pQusxV8jMCHjLUhjYGhDj2Io9ry35iN+ELnYC/4Tdkq3fU
eNXGX31T0O+7ShOc1VmBnQN6oSzOpci2RS10XimfyKX4VPQPz0ThmgWLNO2UvZy/
0E9cesoBAkpJUYhIi26+xECi9Z5Q83NB
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 3F AB 63 0F CF 86 62 14 6E 5B E6 C7 62 C2 DA EE 74 F9 D9 7C
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,1900924163F85F14
EtjWDY9/4aYBpypNTgwFALO9dLKIrnWupk/+iCl/+k9vjdr0x7Upn4aBOlJwdr7d
PD25eA/DzTnOryEUEx9oSn90tzxaP03RmiCgSIOQoMpgBorJCqi6b5ijcpWdp0Qd
uQObKrhetCyTNC2pe6iFqtyOFRfMUDFOpYvRR5xAYQt41FfJzZfBVO3zzri3vj5M
yjHyg48999VFWCdG/9GUvCLvYbgT1hH5BILhJAR8F/CWtfyYOaF6RefJEncf0pYB
QH/3XgfspK6cD5h9rogVPA7L3Hkyv5CsZOEByHPiJ/K4MmZsyqGHAhc13XRh2oUp
NoWh2jE1a76DVy2l2qlZwX7T76dmYYiTbNclMbit40tKazE+vK29aJ2+aUvbyB7n
bEymf2oxhY3QJDOLEgxy+CVGll+Zx7eaSy7Uej/YXY6X5+aqT1/HMUxFf2KaYyuX
lmcUbfwOULfFMjLkcqO2sNhPqAxvVQWM4ElmfKMQ/QEWAnI2hieb/h9z26MiRaDP
A4YubxvgQEi8ygyqK1/0qJUKXhz+rKBRY7zU+eF06laA42IAModKQpQ6P+2A7pwU
SYhwmRWe/xjJi9qwmwtILVdVX6kuyXRZ+BiI2YGqE+NJtxEsghp1+EisJDmfyuf5
hDlNdGMGuR5+4GUTbetjjpomN9IDern97eFM5wIAEdJM/Kh6TdWchJFOHdDaTJvq
oCEyFN+apLlj5ZApjb5JlH0UJFKxJJ1LYOe45zBiA9ApWcu1id3WOAsSbxzvivzC
Uy84qLYou6InBCZwDDFvpRwgtlkFvmKNne2zWLu3poetGCpxcGQgHw==
-----END RSA PRIVATE KEY-----
bonsai:/etc/1x # run-radiusd -X -A + LD_LIBRARY_PATH=/usr/local/openssl-0.9.7a/lib + LD_PRELOAD=/usr/local/openssl-0.9.7a/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + /usr/local/sbin/radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yesproxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/1x/alex.pem" tls: certificate_file = "/etc/1x/alex.pem" tls: CA_file = "/etc/1x/root.pem" tls: private_key_password = "wapsol_sec" tls: dh_file = "/etc/1x/DH" tls: random_file = "/etc/1x/random" tls: fragment_size = 1024 tls: include_length = yes 10322:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE 10322:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:438: 10322:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:421: 10322:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:707: rlm_eap_tls: Error reading private key file rlm_eap: Failed to initialize the type tls radiusd.conf[538]: eap: Module instantiation failed.
