Re: FreeRadius Ceritificate Migration

Tue, 14 May 2013 14:59:41 -0700
Thank you for including the full debug. Here is the section from the rlm_eap_tls initialization. 


Module: Instantiating eap-tls
   tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs/roots"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/servercert.pem"
certificate_file = "/usr/local/etc/raddb/certs/servercert.pem"
private_key_password = "********"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/bootstrap"
ecdh_curve = "prime256v1"
    cache {
enable = no
lifetime = 24
max_entries = 255
    }
    verify {
    }
    ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/";
use_nonce = yes
timeout = 0
softfail = no
    }
   }



A couple of things immediately jump out at me. This is not the default 
configuration. First of all there is no CA_file configured (only 
CA_path). You must have commented that out or deleted it. That means you 
can't use a bundled CA file. Secondly the CA_path is not the default 
either, you've got /usr/local/etc/raddb/certs/roots. Does that directory 
exist? But more importantly can radiusd execute the directory and read 
it's contents? These are file/directory permission issues. In 
radiusd.conf are user and group variables, these are the user and group 
respectively that radiusd runs as *after* it initializes. I'm not sure 
if OpenSSL reads the CA files before or after radiusd drops privileges 
from root to the user/group specified in radiusd.conf. But at the time 
OpenSSL reads the files it has to have permission to traverse into the 
directory (execute permission) and have read permission on the files to 
read their contents.



If you're not sure if radiusd is reading the CA files or not it's easy 
to verify by running radiusd under strace (hint: use -o to direct the 
output to a file and then search for your CA_path) you should see the 
directory being opened and files being read. If there are permission 
problems you'll see error information in the strace output.


HTH,

John



--
John Dennis <[email protected]>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to