[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
This bug was fixed in the package freeradius - 3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu2 --- freeradius (3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu2) jammy; urgency=medium * Fix radtest client crash when using mschap auth (LP: #1962046): - d/p/fix-mschap-client-crash-1.patch: load the OpenSSL legacy providers - d/p/fix-mschap-client-crash-2.patch: need OpenSSL3 init for MD5 too - d/t/test-freeradius.py: test more authentication mechanisms -- Andreas Hasenack Fri, 25 Feb 2022 10:19:18 -0300 ** Changed in: freeradius (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
** Changed in: freeradius (Ubuntu) Status: Triaged => In Progress ** Changed in: freeradius (Ubuntu) Importance: Undecided => High ** Changed in: moonshot-gss-eap (Ubuntu) Status: Triaged => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
** Merge proposal linked: https://code.launchpad.net/~ahasenack/ubuntu/+source/freeradius/+git/freeradius/+merge/415870 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
We'll try to get it out this week. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
Hi, The feature freeze is looming closer :) Alan, is there any visibility on the 3.0.26 release? Thanks in advance :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
** Tags added: transition-openssl3-jj -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
** Changed in: freeradius (Ubuntu) Milestone: None => ubuntu-22.04-feature-freeze -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
> So I now understand the OR change, just not why content_type is compared with UINT8_MAX. The TLS specification (RFC 8446, among others) says that the ContentType field is an 8-bit value. Therefore anything past that is not a real content type, and is "invented" by OpenSSL. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
> Debug: Ignoring cbtls_msg call with pseudo content type 256, version 769 These troubled me a bit. When there is pseudo content type, the docs say the version is set to 0. From https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_msg_callback.html: version The protocol version according to which the protocol message is interpreted by the library such as TLS1_3_VERSION, TLS1_2_VERSION etc. This is set to 0 for the SSL3_RT_HEADER pseudo content type (see NOTES below). But we see version set to 769, then 771. And the code was correctly checking for version 0 AND some content_type, but the patch changes that to an OR. I then found this openssl bug, still open: https://github.com/openssl/openssl/issues/17262 "SSL_CTX_set_msg_callback - cb function version argument in 3.0.0 does not match documentation" So I now understand the OR change, just not why content_type is compared with UINT8_MAX. The docs say that pseudo content types have very specific values. Again from that manpage: content_type This is one of the content type values defined in the protocol specification (SSL3_RT_CHANGE_CIPHER_SPEC, SSL3_RT_ALERT, SSL3_RT_HANDSHAKE; but never SSL3_RT_APPLICATION_DATA because the callback will only be called for protocol messages). Alternatively it may be a "pseudo" content type. These pseudo content types are used to signal some other event in the processing of data (see NOTES below). And Pseudo content type values may be sent at various points during the processing of data. The following pseudo content types are currently defined: SSL3_RT_HEADER (...) SSL3_RT_INNER_CONTENT_TYPE All of these I found defined in /usr/include/openssl/ssl3.h: $ grep -E "^#[[:blank:]]*define.*(SSL3_RT_CHANGE_CIPHER_SPEC|SSL3_RT_ALERT|SSL3_RT_HANDSHAKE|SSL3_RT_HEADER|SSL3_RT_INNER_CONTENT_TYPE)" -w /usr/include/openssl/ssl3.h # define SSL3_RT_CHANGE_CIPHER_SPEC 20 # define SSL3_RT_ALERT 21 # define SSL3_RT_HANDSHAKE 22 # define SSL3_RT_HEADER 0x100 # define SSL3_RT_INNER_CONTENT_TYPE 0x101 While they are all less than UINT8_MAX, UINT8_MAX seems an arbitrary threshold, unless it's mentioned in some other documentation I didn't find yet. ** Bug watch added: github.com/openssl/openssl/issues #17262 https://github.com/openssl/openssl/issues/17262 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
> We will be releasing 3.0.26 in January to address these, and other issues. I'd suggest waiting for that. Thanks Alan! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
There are a LOT of changes required to get FreeRADIUS working with OpenSSL3. We will be releasing 3.0.26 in January to address these, and other issues. I'd suggest waiting for that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
With this patch https://github.com/FreeRADIUS/freeradius-
server/commit/a1f5fd2213c0104d0e124d804ab8c210c9fedb18:
From a1f5fd2213c0104d0e124d804ab8c210c9fedb18 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok"
Date: Thu, 30 Dec 2021 15:31:55 -0500
Subject: [PATCH] OpenSSL3 sends invalid content types all of the time...
---
src/main/cb.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/main/cb.c b/src/main/cb.c
index 372b8fa8228..0796914b41f 100644
--- a/src/main/cb.c
+++ b/src/main/cb.c
@@ -132,11 +132,11 @@ void cbtls_msg(int write_p, int msg_version, int
content_type,
tls_session_t *state = (tls_session_t *)arg;
/*
-* OpenSSL 1.0.2 calls this function with 'pseudo'
-* content types. Which breaks our tracking of
-* the SSL Session state.
+* OpenSSL calls this function with 'pseudo' content
+* types. Which breaks our tracking of the SSL Session
+* state.
*/
- if ((msg_version == 0) && (content_type > UINT8_MAX)) {
+ if ((msg_version == 0) || (content_type >= UINT8_MAX)) {
DEBUG4("(TLS) Ignoring cbtls_msg call with pseudo content type
%i, version %i",
content_type, msg_version);
return;
The test passes, and it does log "Ignoring cbtls_msg call ..." multiple times:
...
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Authenticate
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Continuing EAP-TLS
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Peer sent flags ---
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: [eaptls verify] = ok
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: Done initial handshake
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: (other): before SSL
initialization
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: before SSL
initialization
Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content
type 256, version 769
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: before SSL
initialization
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: <<< recv TLS 1.3 [length 00b7]
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS read
client hello
Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content
type 256, version 771
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 003d]
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS write
server hello
Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content
type 256, version 771
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 0345]
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS write
certificate
Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content
type 256, version 771
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 014d]
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: TLS_accept: SSLv3/TLS write key
exchange
Fri Jan 7 13:42:19 2022 : Debug: Ignoring cbtls_msg call with pseudo content
type 256, version 771
Fri Jan 7 13:42:19 2022 : Debug: (2) eap_ttls: >>> send TLS 1.2 [length 0004]
...
I thought this would also be needed
https://github.com/FreeRADIUS/freeradius-server/commit/cbbbd30f84a5b2a7d435ce0da765796ee3987e21,
but the test passes without it.
The point is that current 3.0.x branch has a few more openssl-3-related
commits. We can cherry pick the one needed for this test, or all of
them, or do that and wait for a 3.0.26 release and then remove the
patches.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1955009
Title:
Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
I think I found the fix in the v3.0.x branch, testing. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
Plain 3.0.25 didn't work, and I had to patch it because openssl3 got rid of FIPS_mode(). I didn't cherry pick any other changes from master, but there may be others. Might try the v3.0.x branch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
Thanks Alan, I'll try that -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
I would suggest trying 3.0.25. If that works, don't even bother trying to debug this. OpenSSL has minor behavior differences across a major version change. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
** Changed in: freeradius (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: moonshot-gss-eap (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: moonshot-gss-eap (Ubuntu) Status: New => Triaged ** Changed in: freeradius (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
Hi Sam and Alan, >Christian> Reproducible in local autopkgtest > > Let me make sure I'm understanding. > You are saying that prior to penssl 3, the test works, but with > openssl3, the test fails? Yes that is correct > What is the ssl version in the successful tests? > For example from the failing test we have: > OpenSSL: TX ver=0x303 content_type=22 (handshake/client hello) Good: 1.1.1l-1ubuntu1 Bad: 3.0.0-1ubuntu1 But to be complete, since not all components have let go of libssl1.1 we always have both ssl versions installed. Just freeradius is linking to one or the other. Good: ubuntu@autopkgtest:~$ dpkg -l libssl3 libssl1.1 freeradius moonshot-gss-eap Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++--===-- ii freeradius 3.0.21+dfsg-3 amd64high-performance and highly configurable RADIUS server ii libssl1.1:amd64 1.1.1l-1ubuntu1 amd64Secure Sockets Layer toolkit - shared libraries ii libssl3:amd643.0.0-1ubuntu1 amd64Secure Sockets Layer toolkit - shared libraries ii moonshot-gss-eap 1.0.1-6ubuntu2 amd64Moonshot Federated Authentication - authentication mechanism ubuntu@autopkgtest:~$ ldd /usr/sbin/freeradius | grep ssl libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x7f0d3a268000) Bad: ubuntu@autopkgtest:~$ dpkg -l libssl3 libssl1.1 freeradius moonshot-gss-eap Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++--===-- ii freeradius 3.0.21+dfsg-3build1 amd64high-performance and highly configurable RADIUS server ii libssl1.1:amd64 1.1.1l-1ubuntu1 amd64Secure Sockets Layer toolkit - shared libraries ii libssl3:amd643.0.0-1ubuntu1 amd64Secure Sockets Layer toolkit - shared libraries ii moonshot-gss-eap 1.0.1-6ubuntu2 amd64Moonshot Federated Authentication - authentication mechanism ubuntu@autopkgtest:~$ ldd /usr/sbin/freeradius | grep ssl libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x7f965de31000) > What's the txver from that message in the successful test? > Unfortunately, EAP-TTLS is a bit sensitive to the TLS protocol version > in use for some annoying standardization reasons. Interestingly that is the same in both: Good: OpenSSL: TX ver=0x303 content_type=256 (TLS header info/) Bad: OpenSSL: TX ver=0x303 content_type=256 (TLS header info/) But that is probably defined by moonshot who in Ubuntu [1] had a no change rebuild against the new openssl. [1]: https://launchpad.net/ubuntu/+source/moonshot-gss- eap/1.0.1-6ubuntu2 > It looks like things are failing on the server side. > The autopkgtest produces the freeradius log (which is admittedly huge) > as a test artifact. > Could I get a pointer to a failing freeradius log? Yeah I have thos in my autopkgtest VMs like: /tmp/autopkgtest.axJ2k1/gss-client-artifacts/freeradius.log I'll attach them to the bug in the next update after I copied them. > I'm also going to bring this bug to the attention of Moonshot upstream. Thank you From here Alan's answer: > My $0.02 is to try the head of v3.0.x. I don't recall if we put in fixes > specifically for > OpenSSL 3, but perhaps. > We've also *significantly* updated the TLS debugging output. It's a lot > clearer, and gives a > lot more information. I assume you mean freeradius? This is already 3.0.21+dfsg-3(build1) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
** Attachment added: "freeradius-moonshot.bad.log" https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+attachment/5548178/+files/freeradius-moonshot.bad.log -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
** Attachment added: "freeradius-moonshot.good.log" https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+attachment/5548177/+files/freeradius-moonshot.good.log -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
My $0.02 is to try the head of v3.0.x. I don't recall if we put in fixes specifically for OpenSSL 3, but perhaps. We've also *significantly* updated the TLS debugging output. It's a lot clearer, and gives a lot more information. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
> "Christian" == Christian Ehrhardt <1955...@bugs.launchpad.net> writes: Christian> Reproducible in local autopkgtest Let me make sure I'm understanding. You are saying that prior to penssl 3, the test works, but with openssl3, the test fails? What is the ssl version in the successful tests? For example from the failing test we have: OpenSSL: TX ver=0x303 content_type=22 (handshake/client hello) What's the txver from that message in the successful test? Unfortunately, EAP-TTLS is a bit sensitive to the TLS protocol version in use for some annoying standardization reasons. It looks like things are failing on the server side. The autopkgtest produces the freeradius log (which is admittedly huge) as a test artifact. Could I get a pointer to a failing freeradius log? I'm also going to bring this bug to the attention of Moonshot upstream. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1955009 Title: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeradius/+bug/1955009/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1955009] Re: Freeradius 3.0.21+dfsg-3build1 fails test of moonshot-gss-eap
Reproducible in local autopkgtest
Good:
### gss_eap_shib_attr_provider::init(): Initializing ShibResolver library
### finalize_class::finalize_class(): Constructing
Sending init_sec_context token (size=81)...continue needed...
Sending init_sec_context token (size=50)...continue needed...
Sending init_sec_context token (size=42)...continue needed...
Sending init_sec_context token (size=235)...continue needed...
Sending init_sec_context token (size=42)...continue needed...
Sending init_sec_context token (size=173)...continue needed...
Sending init_sec_context token (size=99)...continue needed...
Sending init_sec_context token (size=142)...continue needed...
Sending init_sec_context token (size=42)...continue needed...
Sending init_sec_context token (size=60)...continue needed...
context flag: GSS_C_MUTUAL_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_SEQUENCE_FLAG
context flag: GSS_C_CONF_FLAG
context flag: GSS_C_INTEG_FLAG
"st...@test.com" to "host/localhost", lifetime -1, flags 13e, locally
initiated, open
Name type of source name is { 1 2 840 113554 1 2 1 1 }.
Mechanism { 1 3 6 1 5 5 15 1 1 17 } supports 6 names
0: { 1 2 840 113554 1 2 1 1 }
1: { 1 2 840 113554 1 2 1 4 }
2: { 1 3 6 1 5 6 4 }
3: { 1 3 6 1 5 6 6 }
4: { 1 3 6 1 5 5 15 2 1 }
5: { 1 3 6 1 5 6 3 }
Signature verified.
### finalize_class::finalize_class(): Constructing
2021-12-16 09:44:16 WARN Shibboleth.Application : no MetadataProvider
available, configure at least one for standard SSO usage
2021-12-16 09:44:16 ERROR OpenSSL : error code: 33558530 in
../crypto/bio/bss_file.c, line 288
2021-12-16 09:44:16 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/sp-signing-key.pem','r')
2021-12-16 09:44:16 ERROR OpenSSL : error code: 537346050 in
../crypto/bio/bss_file.c, line 290
2021-12-16 09:44:16 ERROR XMLTooling.CredentialResolver.Chaining : caught
exception processing embedded CredentialResolver element: Unable to load
private key from file (/etc/shibboleth/sp-signing-key.pem).
2021-12-16 09:44:16 ERROR OpenSSL : error code: 33558530 in
../crypto/bio/bss_file.c, line 288
2021-12-16 09:44:16 ERROR OpenSSL : error data:
fopen('/etc/shibboleth/sp-encrypt-key.pem','r')
2021-12-16 09:44:16 ERROR OpenSSL : error code: 537346050 in
../crypto/bio/bss_file.c, line 290
2021-12-16 09:44:16 ERROR XMLTooling.CredentialResolver.Chaining : caught
exception processing embedded CredentialResolver element: Unable to load
private key from file (/etc/shibboleth/sp-encrypt-key.pem).
context flag: GSS_C_MUTUAL_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_SEQUENCE_FLAG
context flag: GSS_C_CONF_FLAG
context flag: GSS_C_INTEG_FLAG
Attribute urn:ietf:params:gss:radius-attribute 79 Authenticated Complete
03070004
Attribute urn:ietf:params:gss:radius-attribute 80 Authenticated Complete
fea2dc1b41a181201e5650cd85cf90f5
Attribute urn:ietf:params:gss:radius-attribute 1 Authenticated Complete
@test.com
40746573742e636f6d
Accepted connection: "@test.com"
Received message: "testmessage"
NOOP token
### ShibFinalizer::ShibFinalizer(): Constructing
### gssEapAttrProvidersInitInternal(): Calling gssEapSamlAttrProvidersInit()
### gssEapAttrProvidersInitInternal(): Setting gssEapAttrProvidersInitStatus to
gss_accept_sec_context: 1/0
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: Status notification: completion (param=success)
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
gss_init_sec_context: 1/0
gss_accept_sec_context: 0/0
gss_init_sec_context: 0/0
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
### ~finalize_class::~finalize_class() : initStatus=0010
### gssEapFinalize()
### ShibFinalizer::~ShibFinalizer(): Destructing
### gss_eap_shib_attr_provider::finalize(): calling ShibbolethResolver::term()
### ~finalize_class::~finalize_class() : initStatus=
### ~finalize_class::~finalize_class() : really finalizing
### gssEapFinalize()
Bad:
### finalize_class::finalize_class(): Constructing
GSS-API error accepting context: Invalid credential was supplied
GSS-API error accepting context: Authentication rejected by RADIUS server
gss_accept_sec_context: 655360/2109382925
### ~finalize_class::~finalize_class() : initStatus=0010
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
gss_init_sec_context: 655360/2109382925
sending token length: Broken pipe
### gssEapFinalize()
### ~finalize_class::~finalize_class() : initStatus=0010
### finalize_class::finalize_class(): Constructing
Sending init_sec_context token (size=81)...continue needed...
Sending init_sec_context token (size=50)...continue needed...
Sending init_sec_context token (size=42)...continue needed...
Sending init_sec_context token (size=235)...continue needed...
Sending init_sec_context token (size=42)...continue needed...
Sending init_sec_context token (size=173)...continue needed...
Sending init_sec_context token (size=99)...continue
