[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
This bug was fixed in the package freeradius - 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu2 --- freeradius (3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu2) jammy; urgency=medium * Fix radtest client crash when using mschap auth (LP: #1962046): - d/p/fix-mschap-client-crash-1.patch: load the OpenSSL legacy providers - d/p/fix-mschap-client-crash-2.patch: need OpenSSL3 init for MD5 too - d/t/test-freeradius.py: test more authentication mechanisms -- Andreas Hasenack Fri, 25 Feb 2022 10:19:18 -0300 ** Changed in: freeradius (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
** Changed in: freeradius (Ubuntu) Status: Triaged => In Progress ** Changed in: freeradius (Ubuntu) Importance: Undecided => High ** Changed in: moonshot-gss-eap (Ubuntu) Status: Triaged => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/freeradius/+git/freeradius/+merge/415870 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
We'll try to get it out this week. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
Hi, The feature freeze is looming closer :) Alan, is there any visibility on the 3.0.26 release? Thanks in advance :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
** Tags added: transition-openssl3-jj -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
** Changed in: freeradius (Ubuntu) Milestone: None => ubuntu-22.04-feature-freeze -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
> So I now understand the OR change, just not why content_type is compared with UINT8_MAX. The TLS specification (RFC 8446, among others) says that the ContentType field is an 8-bit value. Therefore anything past that is not a real content type, and is "invented" by OpenSSL. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
> Debug: Ignoring cbtls_msg call with pseudo content type 256, version 769 These troubled me a bit. When there is pseudo content type, the docs say the version is set to 0. From https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_msg_callback.html: version The protocol version according to which the protocol message is interpreted by the library such as TLS1_3_VERSION, TLS1_2_VERSION etc. This is set to 0 for the SSL3_RT_HEADER pseudo content type (see NOTES below). But we see version set to 769, then 771. And the code was correctly checking for version 0 AND some content_type, but the patch changes that to an OR. I then found this openssl bug, still open: https://github.com/openssl/openssl/issues/17262 "SSL_CTX_set_msg_callback - cb function version argument in 3.0.0 does not match documentation" So I now understand the OR change, just not why content_type is compared with UINT8_MAX. The docs say that pseudo content types have very specific values. Again from that manpage: content_type This is one of the content type values defined in the protocol specification (SSL3_RT_CHANGE_CIPHER_SPEC, SSL3_RT_ALERT, SSL3_RT_HANDSHAKE; but never SSL3_RT_APPLICATION_DATA because the callback will only be called for protocol messages). Alternatively it may be a "pseudo" content type. These pseudo content types are used to signal some other event in the processing of data (see NOTES below). And Pseudo content type values may be sent at various points during the processing of data. The following pseudo content types are currently defined: SSL3_RT_HEADER (...) SSL3_RT_INNER_CONTENT_TYPE All of these I found defined in /usr/include/openssl/ssl3.h: $ grep -E "^#[[:blank:]]*define.*(SSL3_RT_CHANGE_CIPHER_SPEC|SSL3_RT_ALERT|SSL3_RT_HANDSHAKE|SSL3_RT_HEADER|SSL3_RT_INNER_CONTENT_TYPE)" -w /usr/include/openssl/ssl3.h # define SSL3_RT_CHANGE_CIPHER_SPEC 20 # define SSL3_RT_ALERT 21 # define SSL3_RT_HANDSHAKE 22 # define SSL3_RT_HEADER 0x100 # define SSL3_RT_INNER_CONTENT_TYPE 0x101 While they are all less than UINT8_MAX, UINT8_MAX seems an arbitrary threshold, unless it's mentioned in some other documentation I didn't find yet. ** Bug watch added: github.com/openssl/openssl/issues #17262 https://github.com/openssl/openssl/issues/17262 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
> We will be releasing 3.0.26 in January to address these, and other issues. I'd suggest waiting for that. Thanks Alan! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
There are a LOT of changes required to get FreeRADIUS working with OpenSSL3. We will be releasing 3.0.26 in January to address these, and other issues. I'd suggest waiting for that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
With this patch https://github.com/FreeRADIUS/freeradius- server/commit/a1f5fd2213c0104d0e124d804ab8c210c9fedb18: From a1f5fd2213c0104d0e124d804ab8c210c9fedb18 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Thu, 30 Dec 2021 15:31:55 -0500 Subject: [PATCH] OpenSSL3 sends invalid content types all of the time... --- src/main/cb.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/main/cb.c b/src/main/cb.c index 372b8fa8228..0796914b41f 100644 --- a/src/main/cb.c +++ b/src/main/cb.c @@ -132,11 +132,11 @@ void cbtls_msg(int write_p, int msg_version, int content_type, tls_session_t *state = (tls_session_t *)arg; /* -* OpenSSL 1.0.2 calls this function with 'pseudo' -* content types. Which breaks our tracking of -* the SSL Session state. +* OpenSSL calls this function with 'pseudo' content +* types. Which breaks our tracking of the SSL Session +* state. */ - if ((msg_version == 0) && (content_type > UINT8_MAX)) { + if ((msg_version == 0) || (content_type >= UINT8_MAX)) { DEBUG4("(TLS) Ignoring cbtls_msg call with pseudo content type %i, version %i", content_type, msg_version); return; The test passes, and it does log "Ignoring cbtls_msg call ..." multiple times: ... Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Authenticate Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Continuing EAP-TLS Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Peer sent flags --- Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: [eaptls verify] = ok Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Done initial handshake Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: (other): before SSL initialization Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: before SSL initialization Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 769 Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: before SSL initialization Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: <<< recv TLS 1.3 [length 00b7] Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS read client hello Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 771 Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 003d] Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS write server hello Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 771 Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 0345] Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS write certificate Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 771 Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 014d] Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS write key exchange Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 771 Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 0004] ... I thought this would also be needed https://github.com/FreeRADIUS/freeradius-server/commit/cbbbd30f84a5b2a7d435ce0da765796ee3987e21, but the test passes without it. The point is that current 3.0.x branch has a few more openssl-3-related commits. We can cherry pick the one needed for this test, or all of them, or do that and wait for a 3.0.26 release and then remove the patches. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
I think I found the fix in the v3.0.x branch, testing. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
Plain 3.0.25 didn't work, and I had to patch it because openssl3 got rid of FIPS_mode(). I didn't cherry pick any other changes from master, but there may be others. Might try the v3.0.x branch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
Thanks Alan, I'll try that -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
I would suggest trying 3.0.25. If that works, don't even bother trying to debug this. OpenSSL has minor behavior differences across a major version change. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
** Changed in: freeradius (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: moonshot-gss-eap (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: moonshot-gss-eap (Ubuntu) Status: New => Triaged ** Changed in: freeradius (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
Hi Sam and Alan, >Christian> Reproducible in local autopkgtest > > Let me make sure I'm understanding. > You are saying that prior to penssl 3, the test works, but with > openssl3, the test fails? Yes that is correct > What is the ssl version in the successful tests? > For example from the failing test we have: > OpenSSL: TX ver=0x303 content_type=22 (handshake/client hello) Good: 1.1.1l-1ubuntu1 Bad: 3.0.0-1ubuntu1 But to be complete, since not all components have let go of libssl1.1 we always have both ssl versions installed. Just freeradius is linking to one or the other. Good: ubuntu@autopkgtest:~$ dpkg -l libssl3 libssl1.1 freeradius moonshot-gss-eap Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++--===-- ii freeradius 3.0.21+dfsg-3 amd64high-performance and highly configurable RADIUS server ii libssl1.1:amd64 1.1.1l-1ubuntu1 amd64Secure Sockets Layer toolkit - shared libraries ii libssl3:amd643.0.0-1ubuntu1 amd64Secure Sockets Layer toolkit - shared libraries ii moonshot-gss-eap 1.0.1-6ubuntu2 amd64Moonshot Federated Authentication - authentication mechanism ubuntu@autopkgtest:~$ ldd /usr/sbin/freeradius | grep ssl libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x7f0d3a268000) Bad: ubuntu@autopkgtest:~$ dpkg -l libssl3 libssl1.1 freeradius moonshot-gss-eap Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++--===-- ii freeradius 3.0.21+dfsg-3build1 amd64high-performance and highly configurable RADIUS server ii libssl1.1:amd64 1.1.1l-1ubuntu1 amd64Secure Sockets Layer toolkit - shared libraries ii libssl3:amd643.0.0-1ubuntu1 amd64Secure Sockets Layer toolkit - shared libraries ii moonshot-gss-eap 1.0.1-6ubuntu2 amd64Moonshot Federated Authentication - authentication mechanism ubuntu@autopkgtest:~$ ldd /usr/sbin/freeradius | grep ssl libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x7f965de31000) > What's the txver from that message in the successful test? > Unfortunately, EAP-TTLS is a bit sensitive to the TLS protocol version > in use for some annoying standardization reasons. Interestingly that is the same in both: Good: OpenSSL: TX ver=0x303 content_type=256 (TLS header info/) Bad: OpenSSL: TX ver=0x303 content_type=256 (TLS header info/) But that is probably defined by moonshot who in Ubuntu [1] had a no change rebuild against the new openssl. [1]: https://launchpad.net/ubuntu/+source/moonshot-gss- eap/1.0.1-6ubuntu2 > It looks like things are failing on the server side. > The autopkgtest produces the freeradius log (which is admittedly huge) > as a test artifact. > Could I get a pointer to a failing freeradius log? Yeah I have thos in my autopkgtest VMs like: /tmp/autopkgtest.axJ2k1/gss-client-artifacts/freeradius.log I'll attach them to the bug in the next update after I copied them. > I'm also going to bring this bug to the attention of Moonshot upstream. Thank you From here Alan's answer: > My $0.02 is to try the head of v3.0.x. I don't recall if we put in fixes > specifically for > OpenSSL 3, but perhaps. > We've also *significantly* updated the TLS debugging output. It's a lot > clearer, and gives a > lot more information. I assume you mean freeradius? This is already 3.0.21+dfsg-3(build1) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
** Attachment added: "freeradius-moonshot.bad.log" https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+attachment/5548178/+files/freeradius-moonshot.bad.log -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
** Attachment added: "freeradius-moonshot.good.log" https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+attachment/5548177/+files/freeradius-moonshot.good.log -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
My $0.02 is to try the head of v3.0.x. I don't recall if we put in fixes specifically for OpenSSL 3, but perhaps. We've also *significantly* updated the TLS debugging output. It's a lot clearer, and gives a lot more information. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
> "Christian" == Christian Ehrhardt <1955...@bugs.launchpad.net> writes: Christian> Reproducible in local autopkgtest Let me make sure I'm understanding. You are saying that prior to penssl 3, the test works, but with openssl3, the test fails? What is the ssl version in the successful tests? For example from the failing test we have: OpenSSL: TX ver=0x303 content_type=22 (handshake/client hello) What's the txver from that message in the successful test? Unfortunately, EAP-TTLS is a bit sensitive to the TLS protocol version in use for some annoying standardization reasons. It looks like things are failing on the server side. The autopkgtest produces the freeradius log (which is admittedly huge) as a test artifact. Could I get a pointer to a failing freeradius log? I'm also going to bring this bug to the attention of Moonshot upstream. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
Reproducible in local autopkgtest Good: ### gss_eap_shib_attr_provider::init(): Initializing ShibResolver library ### finalize_class::finalize_class(): Constructing Sending init_sec_context token (size=81)...continue needed... Sending init_sec_context token (size=50)...continue needed... Sending init_sec_context token (size=42)...continue needed... Sending init_sec_context token (size=235)...continue needed... Sending init_sec_context token (size=42)...continue needed... Sending init_sec_context token (size=173)...continue needed... Sending init_sec_context token (size=99)...continue needed... Sending init_sec_context token (size=142)...continue needed... Sending init_sec_context token (size=42)...continue needed... Sending init_sec_context token (size=60)...continue needed... context flag: GSS_C_MUTUAL_FLAG context flag: GSS_C_REPLAY_FLAG context flag: GSS_C_SEQUENCE_FLAG context flag: GSS_C_CONF_FLAG context flag: GSS_C_INTEG_FLAG "st...@test.com" to "host/localhost", lifetime -1, flags 13e, locally initiated, open Name type of source name is { 1 2 840 113554 1 2 1 1 }. Mechanism { 1 3 6 1 5 5 15 1 1 17 } supports 6 names 0: { 1 2 840 113554 1 2 1 1 } 1: { 1 2 840 113554 1 2 1 4 } 2: { 1 3 6 1 5 6 4 } 3: { 1 3 6 1 5 6 6 } 4: { 1 3 6 1 5 5 15 2 1 } 5: { 1 3 6 1 5 6 3 } Signature verified. ### finalize_class::finalize_class(): Constructing 2021-12-16 09:44:16 WARN Shibboleth.Application : no MetadataProvider available, configure at least one for standard SSO usage 2021-12-16 09:44:16 ERROR OpenSSL : error code: 33558530 in ../crypto/bio/bss_file.c, line 288 2021-12-16 09:44:16 ERROR OpenSSL : error data: fopen('/etc/shibboleth/sp-signing-key.pem','r') 2021-12-16 09:44:16 ERROR OpenSSL : error code: 537346050 in ../crypto/bio/bss_file.c, line 290 2021-12-16 09:44:16 ERROR XMLTooling.CredentialResolver.Chaining : caught exception processing embedded CredentialResolver element: Unable to load private key from file (/etc/shibboleth/sp-signing-key.pem). 2021-12-16 09:44:16 ERROR OpenSSL : error code: 33558530 in ../crypto/bio/bss_file.c, line 288 2021-12-16 09:44:16 ERROR OpenSSL : error data: fopen('/etc/shibboleth/sp-encrypt-key.pem','r') 2021-12-16 09:44:16 ERROR OpenSSL : error code: 537346050 in ../crypto/bio/bss_file.c, line 290 2021-12-16 09:44:16 ERROR XMLTooling.CredentialResolver.Chaining : caught exception processing embedded CredentialResolver element: Unable to load private key from file (/etc/shibboleth/sp-encrypt-key.pem). context flag: GSS_C_MUTUAL_FLAG context flag: GSS_C_REPLAY_FLAG context flag: GSS_C_SEQUENCE_FLAG context flag: GSS_C_CONF_FLAG context flag: GSS_C_INTEG_FLAG Attribute urn:ietf:params:gss:radius-attribute 79 Authenticated Complete 03070004 Attribute urn:ietf:params:gss:radius-attribute 80 Authenticated Complete fea2dc1b41a181201e5650cd85cf90f5 Attribute urn:ietf:params:gss:radius-attribute 1 Authenticated Complete @test.com 40746573742e636f6d Accepted connection: "@test.com" Received message: "testmessage" NOOP token ### ShibFinalizer::ShibFinalizer(): Constructing ### gssEapAttrProvidersInitInternal(): Calling gssEapSamlAttrProvidersInit() ### gssEapAttrProvidersInitInternal(): Setting gssEapAttrProvidersInitStatus to gss_accept_sec_context: 1/0 EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: Status notification: completion (param=success) EAP: EAP entering state SUCCESS CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully gss_init_sec_context: 1/0 gss_accept_sec_context: 0/0 gss_init_sec_context: 0/0 EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit ### ~finalize_class::~finalize_class() : initStatus=0010 ### gssEapFinalize() ### ShibFinalizer::~ShibFinalizer(): Destructing ### gss_eap_shib_attr_provider::finalize(): calling ShibbolethResolver::term() ### ~finalize_class::~finalize_class() : initStatus= ### ~finalize_class::~finalize_class() : really finalizing ### gssEapFinalize() Bad: ### finalize_class::finalize_class(): Constructing GSS-API error accepting context: Invalid credential was supplied GSS-API error accepting context: Authentication rejected by RADIUS server gss_accept_sec_context: 655360/2109382925 ### ~finalize_class::~finalize_class() : initStatus=0010 EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit gss_init_sec_context: 655360/2109382925 sending token length: Broken pipe ### gssEapFinalize() ### ~finalize_class::~finalize_class() : initStatus=0010 ### finalize_class::finalize_class(): Constructing Sending init_sec_context token (size=81)...continue needed... Sending init_sec_context token (size=50)...continue needed... Sending init_sec_context token (size=42)...continue needed... Sending init_sec_context token (size=235)...continue needed... Sending init_sec_context token (size=42)...continue needed... Sending init_sec_context token (size=173)...continue needed... Sending init_sec_context token (size=99)...continue