RE: FR 1.1.6 EAP - TLS rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal bad_certificate
Hi David,
Thanks for your help! I use the port version of FR and also use portupgrade.
The FreeBSD base OpenSSL is indeed rather old, so I did have OpenSSL
(With_overwrite_Base) already installed from the ports.
I found something wrong with the server certificates (very strange, because
nothing has been altered). I don't know what this means (yet).
I'm rebuilding my OpenSSL port with make clean make reinstall and have
removed all files in /usr/local/etc/raddb. So FR the port will install a
clean version.
Then I will compare files manually and see what changes there have been.
---
defiant.unix.asp.com.pem:
/C=NL/ST=Utrecht/L=Utrecht/O=UNIX-ASP.COM/OU=Support/CN=unix-asp.com/emailAd
[EMAIL PROTECTED]
error 18 at 0 depth lookup:self signed certificate
/C=NL/ST=Utrecht/L=Utrecht/O=UNIX-ASP.COM/OU=Support/CN=unix-asp.com/emailAd
[EMAIL PROTECTED]
error 7 at 0 depth lookup:certificate signature failure
25385:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type
is not
01:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_pk1.
c:100:
25385:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
failed:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_
eay.c:625:
25385:error:0D089006:asn1 encoding routines:ASN1_verify:EVP
lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_veri
fy.c:162:
Regards,
Remy.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of David Wood
Sent: zondag 29 april 2007 0:38
To: FreeRadius users mailing list
Subject: Re: FR 1.1.6 EAP - TLS rlm_eap_tls: TLS 1.0 Alert [length
0002], fatal bad_certificate
Hi Remy and everyone,
In message [EMAIL PROTECTED], Remy de
Ruysscher [EMAIL PROTECTED] writes
I just upgrade FR 1.1.4 to 1.1.6 on FreeBSD 6.1. And FR has always
worked wonderfully for me in the past.
I'm the maintainer of the FreeBSD port. My 6.2-RELEASE-p2 i386 system
uses EAP-TLS - and it works fine, so it is probably something with your
setup. I'm assuming you're using the port - though you didn't say so
specifically.
I use the OpenSSL port - and suggest you do too, as the version of
OpenSSL in the base system is rather old. If you've got the OpenSSL port
installed, the FreeRADIUS port will notice and make use of it
automatically. The package, meanwhile, uses the base OpenSSL. If you
install the OpenSSL port, you'll need to rebuild the FreeRADIUS port for
FreeRADIUS to use it.
If you have portupgrade installed, and want to switch to using the
OpenSSL port, try:
portupgrade -N security/openssl
portupgrade -f net/freeradius
/usr/local/etc/rc.d/radius start
I suggest you also rebuild any other ports that use OpenSSL if you've
installed the OpenSSL port for the first time. Use portupgrade -f or
similar.
Of course, it could be that your server certificate is actually bad. Do
the results of:
openssl verify -CAfile demoCA/cacert.pem -verbose cert-srv.pem
and
openssl x509 -in cert-srv.pem -noout -text
look OK?
You may need to adjust the filenames according to your environment - I'm
presuming that you're in your raddb certificates folder.
If you have the OpenSSL port installed, I suggest you explicitly use
/usr/local/bin/openssl instead of openssl in the commands above.
The handling of raddb upgrading has changed significantly from version
1.1.4 of the port to 1.1.6. It's just possible that your certificates
have got stomped on if they are in /usr/local/etc/raddb/certs (adjusted
accordingly if you have a non-standard ${PREFIX}), but I can't think
why, as the script is fairly careful in checking before overwriting
anything in raddb.
That said, the new behaviour on uninstallation is to check any files in
raddb against the distribution, and delete unmodified files. On
installation, it copies the distribution files to raddb unless there's
already a file of the same name. It's possible that your upgrade to
1.1.6 has created mixed versions (new uncustomised files and your
customisations based on a rather older version of FreeRADIUS) - and
that's introduced a problem, though I feel this is unlikely.
My favourite is either there's something wrong with your server
certificate, or it's a problem with the base system OpenSSL that you can
cure by moving to the OpenSSL port.
I'd be interested to know how you get on, particularly if the problem
turns out to be something different.
If you want a tarball of the 1.1.4 port, email me - I can pull out the
last version of 1.1.4 from my local Subversion repository before I
upgraded the port to 1.1.5. There were a lot of fixes in the 1.1.4
timeframe - there was a 1.1.4 port on 15 January 2007, 1.1.4_1 on 18
January 2007, and a rewrap of 1.1.4_1 on 23 January 2007.
The 15 January - 18 January transition merely disabled rlm_sql_firebird
(otherwise the port failed to build with experimental modules disabled).
The 18 January - 23 January 2007 update contained a bunch of fixes
FR 1.1.6 EAP - TLS rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal bad_certificate
Hi,
I just upgrade FR 1.1.4 to 1.1.6 on FreeBSD 6.1. And FR has always worked
wonderfully for me in the past.
I saw in the changelog something about terminating the SSL session in EAP on
errors.
What can I do to fix this error?
Regards,
Remy.
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.250:3072, id=1, length=256
User-Name = [EMAIL PROTECTED]
NAS-IP-Address = 10.0.1.250
Called-Station-Id = 0012176fb399
Calling-Station-Id = 0013022105d3
NAS-Identifier = 0012176fb399
NAS-Port = 55
Framed-MTU = 1400
State = 0x99e6bf386c1693ffe99cc51011c78c22
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0201006e0d800064160301005f015b030146338b7df93bc3ecee992b73b782861f
b83b032ad4e5d0e367a50e96a5f4d07e3400390038003500160013000a00330032002f00
6600050004006500640063006200610060001500120009001400110008000600030100
Message-Authenticator = 0xd1dcd23d54281665000ddf314423cf61
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module preprocess returns ok for request 1
radius_xlat: '/var/log/radacct/10.0.1.250/auth-detail-20070428'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radacct/10.0.1.250/auth-detail-20070428
modcall[authorize]: module auth_log returns ok for request 1
modcall[authorize]: module chap returns noop for request 1
modcall[authorize]: module mschap returns noop for request 1
rlm_realm: Looking up realm unix-asp.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: No such realm unix-asp.com
modcall[authorize]: module suffix returns noop for request 1
rlm_eap: EAP packet type response id 1 length 110
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 1
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: TLS 1.0 Handshake [length 005f], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: TLS 1.0 Handshake [length 02ca], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: TLS 1.0 Handshake [length 00a9], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module eap returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 1 to 10.0.1.250 port 3072
EAP-Message =
0x010203d60d8003cc160301004a0246030146338b7ad2b5446adeec2e4c5dbeebbf
060ca75333f41f2cd07136ceb4f1e16020c03cc6c37f378e3a121feb1d2b2ff0720a72311530
9f56d0f8db9efb1334024f00350016030102ca0b0002c60002c30002c0308202bc30820225a0
0302010202020122300d06092a864886f70d0101050500308196310b3009060355040613024e
4c3110300e06035504081307557472656368743110300e060355040713075574726563687431
153013060355040a130c554e49582d4153502e434f4d3110300e060355040b1307537570706f
7274311530130603550403130c756e69782d6173702e636f6d31
EAP-Message =
0x23302106092a864886f70d0109011614737570706f727440756e69782d6173702e636f6d30
1e170d3037303432383137343331325a170d3038303432373137343331325a308196310b3009
060355040613024e4c3110300e06035504081307557472656368743110300e06035504071307
5574726563687431153013060355040a130c554e49582d4153502e434f4d3110300e06035504
0b1307537570706f7274311530130603550403130c756e69782d6173702e636f6d3123302106
092a864886f70d0109011614737570706f727440756e69782d6173702e636f6d30819f300d06
092a864886f70d010101050003818d0030818902818100c4d9ff
EAP-Message =
0x25696b959b20ce440ea32876f9083badb184a2a86c2269205ca4442c6c386546face2e2ec0
5b6a0af3d11094e0fe389198023ee39fafb456de6832483e99c29231034840334c91ccafeb80
f7bd019f3493977c03b7e8ed7824395ec401a2f5eb1540db144670038cc6ca8308c982ac3038
1da8228a479740e4049ef8870203010001a317301530130603551d25040c300a06082b060105
05070301300d06092a864886f70d010105050003818100741dcc0890f8e7cb9651648a76005c
FreeRadius daily build fails on FreeBSD?
On FreeBSD I get these errors after ./configure and make: radius_snmp.c:176: warning: (near initialization for `radiusauth_variables[4]') radius_snmp.c:177: warning: initialization makes pointer from integer without a cast radius_snmp.c:177: warning: excess elements in struct initializer radius_snmp.c:177: warning: (near initialization for `radiusauth_variables[5]') radius_snmp.c:177: warning: excess elements in struct initializer radius_snmp.c:177: warning: (near initialization for `radiusauth_variables[5]') radius_snmp.c:177: warning: excess elements in struct initializer radius_snmp.c:177: warning: (near initialization for `radiusauth_variables[5]') radius_snmp.c:177: error: extra brace group at end of initializer radius_snmp.c:177: error: (near initialization for `radiusauth_variables[5]') radius_snmp.c:177: warning: excess elements in struct initializer radius_snmp.c:177: warning: (near initialization for `radiusauth_variables[5]') radius_snmp.c:178: warning: initialization makes pointer from integer without a cast radius_snmp.c:178: warning: excess elements in struct initializer radius_snmp.c:178: warning: (near initialization for `radiusauth_variables[6]') radius_snmp.c:178: warning: excess elements in struct initializer radius_snmp.c:178: warning: (near initialization for `radiusauth_variables[6]') radius_snmp.c:178: warning: excess elements in struct initializer radius_snmp.c:178: warning: (near initialization for `radiusauth_variables[6]') radius_snmp.c:178: error: extra brace group at end of initializer radius_snmp.c:178: error: (near initialization for `radiusauth_variables[6]') radius_snmp.c:178: warning: excess elements in struct initializer radius_snmp.c:178: warning: (near initialization for `radiusauth_variables[6]') radius_snmp.c:179: warning: initialization makes pointer from integer without a cast radius_snmp.c:179: warning: excess elements in struct initializer radius_snmp.c:179: warning: (near initialization for `radiusauth_variables[7]') radius_snmp.c:179: warning: excess elements in struct initializer radius_snmp.c:179: warning: (near initialization for `radiusauth_variables[7]') radius_snmp.c:179: warning: excess elements in struct initializer radius_snmp.c:179: warning: (near initialization for `radiusauth_variables[7]') radius_snmp.c:179: error: extra brace group at end of initializer radius_snmp.c:179: error: (near initialization for `radiusauth_variables[7]') radius_snmp.c:179: warning: excess elements in struct initializer radius_snmp.c:179: warning: (near initialization for `radiusauth_variables[7]') radius_snmp.c:180: warning: initialization makes pointer from integer without a cast radius_snmp.c:180: warning: excess elements in struct initializer radius_snmp.c:180: warning: (near initialization for `radiusauth_variables[8]') radius_snmp.c:180: warning: excess elements in struct initializer radius_snmp.c:180: warning: (near initialization for `radiusauth_variables[8]') radius_snmp.c:180: warning: excess elements in struct initializer radius_snmp.c:180: warning: (near initialization for `radiusauth_variables[8]') radius_snmp.c:180: error: extra brace group at end of initializer radius_snmp.c:180: error: (near initialization for `radiusauth_variables[8]') radius_snmp.c:180: warning: excess elements in struct initializer radius_snmp.c:180: warning: (near initialization for `radiusauth_variables[8]') radius_snmp.c:181: warning: initialization makes pointer from integer without a cast radius_snmp.c:181: warning: excess elements in struct initializer radius_snmp.c:181: warning: (near initialization for `radiusauth_variables[9]') radius_snmp.c:181: warning: excess elements in struct initializer radius_snmp.c:181: warning: (near initialization for `radiusauth_variables[9]') radius_snmp.c:181: warning: excess elements in struct initializer radius_snmp.c:181: warning: (near initialization for `radiusauth_variables[9]') radius_snmp.c:181: error: extra brace group at end of initializer radius_snmp.c:181: error: (near initialization for `radiusauth_variables[9]') radius_snmp.c:181: warning: excess elements in struct initializer radius_snmp.c:181: warning: (near initialization for `radiusauth_variables[9]') radius_snmp.c:182: warning: initialization makes pointer from integer without a cast radius_snmp.c:182: warning: excess elements in struct initializer radius_snmp.c:182: warning: (near initialization for `radiusauth_variables[10]') radius_snmp.c:182: warning: excess elements in struct initializer radius_snmp.c:182: warning: (near initialization for `radiusauth_variables[10]') radius_snmp.c:182: warning: excess elements in struct initializer radius_snmp.c:182: warning: (near initialization for `radiusauth_variables[10]') radius_snmp.c:182: error: extra brace group at end of initializer radius_snmp.c:182: error: (near initialization for `radiusauth_variables[10]') radius_snmp.c:182: warning: excess elements in struct initializer radius_snmp.c:182: warning: (near initialization for
Radius core dumps (1.1.1 and 1.1.0)
Hi, I'm using freeradius for wireless network authentication using EAP-TLS. I've just completed a complete reinstall of my server because I went crazy about the freeradius core dumps. This has worked for almost 1 year and I have not changed a bit in the conf or OpenSSL. Maybe it's FreeBSD (switched to 6.1 recently and upgraded both the world, kernel and recompiled all packages) I'm hoping it's a user error, please tell me ;). FreeBSD unix-asp.com 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Tue May 16 19:01:49 CEST 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/DEFIANT i386 Tested with 1.1.0 and 1.1.1 remy@/usr/ports/net/freeradius: radiusd -v radiusd: FreeRADIUS Version 1.1.0, for host , built on Mar 15 2006 at 23:52:11 Copyright (C) 2000-2003 The FreeRADIUS server project. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. For more information about these matters, see the file named COPYRIGHT. --- remy@/usr/ports/net/freeradius: radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log main: libdir = /usr/local/lib main: radacctdir = /var/log/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = yes eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/defiant.unix.asp.com.pem tls: certificate_file = /usr/local/etc/raddb/certs/defiant.unix.asp.com.pem tls: CA_file = /usr/local/etc/raddb/certs/root.pem tls: private_key_password = whatever tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess:
RE: Radius core dumps (1.1.1 and 1.1.0)
Submitted a bug report #366. Thanks for your help. -Original Message- From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Alan DeKok Sent: woensdag 17 mei 2006 16:33 To: FreeRadius users mailing list Subject: Re: Radius core dumps (1.1.1 and 1.1.0) Remy de Ruysscher [EMAIL PROTECTED] wrote: Maybe it's FreeBSD (switched to 6.1 recently and upgraded both the world, kernel and recompiled all packages) I wouldn't be surprised. See doc/bugs for how to deal with core dumps. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
