RE: FR 1.1.6 EAP - TLS rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal bad_certificate
Hi David, Thanks for your help! I use the port version of FR and also use portupgrade. The FreeBSD base OpenSSL is indeed rather old, so I did have OpenSSL (With_overwrite_Base) already installed from the ports. I found something wrong with the server certificates (very strange, because nothing has been altered). I don't know what this means (yet). I'm rebuilding my OpenSSL port with make clean make reinstall and have removed all files in /usr/local/etc/raddb. So FR the port will install a clean version. Then I will compare files manually and see what changes there have been. --- defiant.unix.asp.com.pem: /C=NL/ST=Utrecht/L=Utrecht/O=UNIX-ASP.COM/OU=Support/CN=unix-asp.com/emailAd [EMAIL PROTECTED] error 18 at 0 depth lookup:self signed certificate /C=NL/ST=Utrecht/L=Utrecht/O=UNIX-ASP.COM/OU=Support/CN=unix-asp.com/emailAd [EMAIL PROTECTED] error 7 at 0 depth lookup:certificate signature failure 25385:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_pk1. c:100: 25385:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_ eay.c:625: 25385:error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_veri fy.c:162: Regards, Remy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Wood Sent: zondag 29 april 2007 0:38 To: FreeRadius users mailing list Subject: Re: FR 1.1.6 EAP - TLS rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal bad_certificate Hi Remy and everyone, In message [EMAIL PROTECTED], Remy de Ruysscher [EMAIL PROTECTED] writes I just upgrade FR 1.1.4 to 1.1.6 on FreeBSD 6.1. And FR has always worked wonderfully for me in the past. I'm the maintainer of the FreeBSD port. My 6.2-RELEASE-p2 i386 system uses EAP-TLS - and it works fine, so it is probably something with your setup. I'm assuming you're using the port - though you didn't say so specifically. I use the OpenSSL port - and suggest you do too, as the version of OpenSSL in the base system is rather old. If you've got the OpenSSL port installed, the FreeRADIUS port will notice and make use of it automatically. The package, meanwhile, uses the base OpenSSL. If you install the OpenSSL port, you'll need to rebuild the FreeRADIUS port for FreeRADIUS to use it. If you have portupgrade installed, and want to switch to using the OpenSSL port, try: portupgrade -N security/openssl portupgrade -f net/freeradius /usr/local/etc/rc.d/radius start I suggest you also rebuild any other ports that use OpenSSL if you've installed the OpenSSL port for the first time. Use portupgrade -f or similar. Of course, it could be that your server certificate is actually bad. Do the results of: openssl verify -CAfile demoCA/cacert.pem -verbose cert-srv.pem and openssl x509 -in cert-srv.pem -noout -text look OK? You may need to adjust the filenames according to your environment - I'm presuming that you're in your raddb certificates folder. If you have the OpenSSL port installed, I suggest you explicitly use /usr/local/bin/openssl instead of openssl in the commands above. The handling of raddb upgrading has changed significantly from version 1.1.4 of the port to 1.1.6. It's just possible that your certificates have got stomped on if they are in /usr/local/etc/raddb/certs (adjusted accordingly if you have a non-standard ${PREFIX}), but I can't think why, as the script is fairly careful in checking before overwriting anything in raddb. That said, the new behaviour on uninstallation is to check any files in raddb against the distribution, and delete unmodified files. On installation, it copies the distribution files to raddb unless there's already a file of the same name. It's possible that your upgrade to 1.1.6 has created mixed versions (new uncustomised files and your customisations based on a rather older version of FreeRADIUS) - and that's introduced a problem, though I feel this is unlikely. My favourite is either there's something wrong with your server certificate, or it's a problem with the base system OpenSSL that you can cure by moving to the OpenSSL port. I'd be interested to know how you get on, particularly if the problem turns out to be something different. If you want a tarball of the 1.1.4 port, email me - I can pull out the last version of 1.1.4 from my local Subversion repository before I upgraded the port to 1.1.5. There were a lot of fixes in the 1.1.4 timeframe - there was a 1.1.4 port on 15 January 2007, 1.1.4_1 on 18 January 2007, and a rewrap of 1.1.4_1 on 23 January 2007. The 15 January - 18 January transition merely disabled rlm_sql_firebird (otherwise the port failed to build with experimental modules disabled). The 18 January - 23 January 2007 update contained a bunch of fixes
FR 1.1.6 EAP - TLS rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal bad_certificate
Hi, I just upgrade FR 1.1.4 to 1.1.6 on FreeBSD 6.1. And FR has always worked wonderfully for me in the past. I saw in the changelog something about terminating the SSL session in EAP on errors. What can I do to fix this error? Regards, Remy. --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.250:3072, id=1, length=256 User-Name = [EMAIL PROTECTED] NAS-IP-Address = 10.0.1.250 Called-Station-Id = 0012176fb399 Calling-Station-Id = 0013022105d3 NAS-Identifier = 0012176fb399 NAS-Port = 55 Framed-MTU = 1400 State = 0x99e6bf386c1693ffe99cc51011c78c22 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201006e0d800064160301005f015b030146338b7df93bc3ecee992b73b782861f b83b032ad4e5d0e367a50e96a5f4d07e3400390038003500160013000a00330032002f00 6600050004006500640063006200610060001500120009001400110008000600030100 Message-Authenticator = 0xd1dcd23d54281665000ddf314423cf61 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module preprocess returns ok for request 1 radius_xlat: '/var/log/radacct/10.0.1.250/auth-detail-20070428' rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radacct/10.0.1.250/auth-detail-20070428 modcall[authorize]: module auth_log returns ok for request 1 modcall[authorize]: module chap returns noop for request 1 modcall[authorize]: module mschap returns noop for request 1 rlm_realm: Looking up realm unix-asp.com for User-Name = [EMAIL PROTECTED] rlm_realm: No such realm unix-asp.com modcall[authorize]: module suffix returns noop for request 1 rlm_eap: EAP packet type response id 1 length 110 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 005f], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 02ca], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 00a9], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 1 to 10.0.1.250 port 3072 EAP-Message = 0x010203d60d8003cc160301004a0246030146338b7ad2b5446adeec2e4c5dbeebbf 060ca75333f41f2cd07136ceb4f1e16020c03cc6c37f378e3a121feb1d2b2ff0720a72311530 9f56d0f8db9efb1334024f00350016030102ca0b0002c60002c30002c0308202bc30820225a0 0302010202020122300d06092a864886f70d0101050500308196310b3009060355040613024e 4c3110300e06035504081307557472656368743110300e060355040713075574726563687431 153013060355040a130c554e49582d4153502e434f4d3110300e060355040b1307537570706f 7274311530130603550403130c756e69782d6173702e636f6d31 EAP-Message = 0x23302106092a864886f70d0109011614737570706f727440756e69782d6173702e636f6d30 1e170d3037303432383137343331325a170d3038303432373137343331325a308196310b3009 060355040613024e4c3110300e06035504081307557472656368743110300e06035504071307 5574726563687431153013060355040a130c554e49582d4153502e434f4d3110300e06035504 0b1307537570706f7274311530130603550403130c756e69782d6173702e636f6d3123302106 092a864886f70d0109011614737570706f727440756e69782d6173702e636f6d30819f300d06 092a864886f70d010101050003818d0030818902818100c4d9ff EAP-Message = 0x25696b959b20ce440ea32876f9083badb184a2a86c2269205ca4442c6c386546face2e2ec0 5b6a0af3d11094e0fe389198023ee39fafb456de6832483e99c29231034840334c91ccafeb80 f7bd019f3493977c03b7e8ed7824395ec401a2f5eb1540db144670038cc6ca8308c982ac3038 1da8228a479740e4049ef8870203010001a317301530130603551d25040c300a06082b060105 05070301300d06092a864886f70d010105050003818100741dcc0890f8e7cb9651648a76005c
FreeRadius daily build fails on FreeBSD?
On FreeBSD I get these errors after ./configure and make: radius_snmp.c:176: warning: (near initialization for `radiusauth_variables[4]') radius_snmp.c:177: warning: initialization makes pointer from integer without a cast radius_snmp.c:177: warning: excess elements in struct initializer radius_snmp.c:177: warning: (near initialization for `radiusauth_variables[5]') radius_snmp.c:177: warning: excess elements in struct initializer radius_snmp.c:177: warning: (near initialization for `radiusauth_variables[5]') radius_snmp.c:177: warning: excess elements in struct initializer radius_snmp.c:177: warning: (near initialization for `radiusauth_variables[5]') radius_snmp.c:177: error: extra brace group at end of initializer radius_snmp.c:177: error: (near initialization for `radiusauth_variables[5]') radius_snmp.c:177: warning: excess elements in struct initializer radius_snmp.c:177: warning: (near initialization for `radiusauth_variables[5]') radius_snmp.c:178: warning: initialization makes pointer from integer without a cast radius_snmp.c:178: warning: excess elements in struct initializer radius_snmp.c:178: warning: (near initialization for `radiusauth_variables[6]') radius_snmp.c:178: warning: excess elements in struct initializer radius_snmp.c:178: warning: (near initialization for `radiusauth_variables[6]') radius_snmp.c:178: warning: excess elements in struct initializer radius_snmp.c:178: warning: (near initialization for `radiusauth_variables[6]') radius_snmp.c:178: error: extra brace group at end of initializer radius_snmp.c:178: error: (near initialization for `radiusauth_variables[6]') radius_snmp.c:178: warning: excess elements in struct initializer radius_snmp.c:178: warning: (near initialization for `radiusauth_variables[6]') radius_snmp.c:179: warning: initialization makes pointer from integer without a cast radius_snmp.c:179: warning: excess elements in struct initializer radius_snmp.c:179: warning: (near initialization for `radiusauth_variables[7]') radius_snmp.c:179: warning: excess elements in struct initializer radius_snmp.c:179: warning: (near initialization for `radiusauth_variables[7]') radius_snmp.c:179: warning: excess elements in struct initializer radius_snmp.c:179: warning: (near initialization for `radiusauth_variables[7]') radius_snmp.c:179: error: extra brace group at end of initializer radius_snmp.c:179: error: (near initialization for `radiusauth_variables[7]') radius_snmp.c:179: warning: excess elements in struct initializer radius_snmp.c:179: warning: (near initialization for `radiusauth_variables[7]') radius_snmp.c:180: warning: initialization makes pointer from integer without a cast radius_snmp.c:180: warning: excess elements in struct initializer radius_snmp.c:180: warning: (near initialization for `radiusauth_variables[8]') radius_snmp.c:180: warning: excess elements in struct initializer radius_snmp.c:180: warning: (near initialization for `radiusauth_variables[8]') radius_snmp.c:180: warning: excess elements in struct initializer radius_snmp.c:180: warning: (near initialization for `radiusauth_variables[8]') radius_snmp.c:180: error: extra brace group at end of initializer radius_snmp.c:180: error: (near initialization for `radiusauth_variables[8]') radius_snmp.c:180: warning: excess elements in struct initializer radius_snmp.c:180: warning: (near initialization for `radiusauth_variables[8]') radius_snmp.c:181: warning: initialization makes pointer from integer without a cast radius_snmp.c:181: warning: excess elements in struct initializer radius_snmp.c:181: warning: (near initialization for `radiusauth_variables[9]') radius_snmp.c:181: warning: excess elements in struct initializer radius_snmp.c:181: warning: (near initialization for `radiusauth_variables[9]') radius_snmp.c:181: warning: excess elements in struct initializer radius_snmp.c:181: warning: (near initialization for `radiusauth_variables[9]') radius_snmp.c:181: error: extra brace group at end of initializer radius_snmp.c:181: error: (near initialization for `radiusauth_variables[9]') radius_snmp.c:181: warning: excess elements in struct initializer radius_snmp.c:181: warning: (near initialization for `radiusauth_variables[9]') radius_snmp.c:182: warning: initialization makes pointer from integer without a cast radius_snmp.c:182: warning: excess elements in struct initializer radius_snmp.c:182: warning: (near initialization for `radiusauth_variables[10]') radius_snmp.c:182: warning: excess elements in struct initializer radius_snmp.c:182: warning: (near initialization for `radiusauth_variables[10]') radius_snmp.c:182: warning: excess elements in struct initializer radius_snmp.c:182: warning: (near initialization for `radiusauth_variables[10]') radius_snmp.c:182: error: extra brace group at end of initializer radius_snmp.c:182: error: (near initialization for `radiusauth_variables[10]') radius_snmp.c:182: warning: excess elements in struct initializer radius_snmp.c:182: warning: (near initialization for
Radius core dumps (1.1.1 and 1.1.0)
Hi, I'm using freeradius for wireless network authentication using EAP-TLS. I've just completed a complete reinstall of my server because I went crazy about the freeradius core dumps. This has worked for almost 1 year and I have not changed a bit in the conf or OpenSSL. Maybe it's FreeBSD (switched to 6.1 recently and upgraded both the world, kernel and recompiled all packages) I'm hoping it's a user error, please tell me ;). FreeBSD unix-asp.com 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Tue May 16 19:01:49 CEST 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/DEFIANT i386 Tested with 1.1.0 and 1.1.1 remy@/usr/ports/net/freeradius: radiusd -v radiusd: FreeRADIUS Version 1.1.0, for host , built on Mar 15 2006 at 23:52:11 Copyright (C) 2000-2003 The FreeRADIUS server project. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. --- remy@/usr/ports/net/freeradius: radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log main: libdir = /usr/local/lib main: radacctdir = /var/log/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/defiant.unix.asp.com.pem tls: certificate_file = /usr/local/etc/raddb/certs/defiant.unix.asp.com.pem tls: CA_file = /usr/local/etc/raddb/certs/root.pem tls: private_key_password = whatever tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess:
RE: Radius core dumps (1.1.1 and 1.1.0)
Submitted a bug report #366. Thanks for your help. -Original Message- From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Alan DeKok Sent: woensdag 17 mei 2006 16:33 To: FreeRadius users mailing list Subject: Re: Radius core dumps (1.1.1 and 1.1.0) Remy de Ruysscher [EMAIL PROTECTED] wrote: Maybe it's FreeBSD (switched to 6.1 recently and upgraded both the world, kernel and recompiled all packages) I wouldn't be surprised. See doc/bugs for how to deal with core dumps. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html