.FreeRADIUS now generates FIPS-compliant Diffie-Hellman parameters
Due to new FIPS requirements that do not allow `openssl` to generate Diffie-Hellman (dh) parameters via `dhparam`, the dh parameter generation has been removed from the FreeRADIUS bootstrap scripts and the file, `rfc3526-group-18-8192.dhparam`, is included with the FreeRADIUS packages for all systems, and thus enables FreeRADIUS to start in FIPS mode.
Note that you can customize `/etc/raddb/certs/bootstrap` and `/etc/raddb/certs/Makefile` to restore the DH parameter generation if required.
Description of problem:
During its postinstall scripts freeradius generates keys in /etc/raddb/certs.
# rpm -q freeradius --scripts
...
if [ $1 -eq 1 ]; then # install
# Initial installation
if [ ! -e /etc/raddb/certs/server.pem ]; then
/sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1
fi
fi
...
However, in FIPS mode this generation fails and no keys are created. This is caused by not being able to generate DH params:
# cat /etc/raddb/certs/bootstrap
...
if [ ! -e dh ]; then
openssl dhparam -out dh 2048 || exit 1
ln -sf /dev/urandom random
fi
...
In RHEL-8.3 openssl doesn't allow dhparam generation (see BZ#1810911 and BZ#1855822) in FIPS mode because of new requirements for the standard. Execution of openssl command fails and bootstrap script exits. No keys are created and radiusd won't start without them:
# ls /etc/raddb/certs/
bootstrap ca.cnf client.cnf dh inner-server.cnf Makefile passwords.mk README server.cnf xpextensions
# systemctl start radiusd
Job for radiusd.service failed because the control process exited with error code.
See "systemctl status radiusd.service" and "journalctl -xe" for details.
# cat /var/log/radius/radius.log
Wed Jul 22 06:33:26 2020 : Info: Debugger not attached
Wed Jul 22 06:33:26 2020 : Error: Unable to check file "/etc/raddb/certs/server.pem": No such file or directory
Wed Jul 22 06:33:26 2020 : Error: /etc/raddb/mods-enabled/eap[183]: Failed parsing configuration item "private_key_file"
Wed Jul 22 06:33:26 2020 : Error: rlm_eap_tls: Failed initializing SSL context
Wed Jul 22 06:33:26 2020 : Error: rlm_eap (EAP): Failed to initialise rlm_eap_tls
Wed Jul 22 06:33:26 2020 : Error: /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"
Version-Release number of selected component (if applicable):
freeradius-3.0.20-1.module+el8.3.0+6967+0ef5980f
openssl-1.1.1g-9.el8
How reproducible:
100% in FIPS mode
Steps to Reproduce:
1. Make sure freeradius is not installed and /etc/raddb does not exist.
2. Enable FIPS mode.
2. Install freeradius.
3. Inspect /etc/raddb/certs and start radiusd.
Actual results:
No keys are created and service fails to start.
Expected results:
Keys for CA, server and client are created and services starts.
Additional info:
1. File with dhparams (dh) is never used in bootstrap script, can its generation be removed? Keys will be generated successfully without it.
2. In RHEL-8.2 dhparam file can be generated even in FIPS and hence this issue is new in 8.3.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: freeradius:3.0 security and bug fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2020:4799
Description of problem: During its postinstall scripts freeradius generates keys in /etc/raddb/certs. # rpm -q freeradius --scripts ... if [ $1 -eq 1 ]; then # install # Initial installation if [ ! -e /etc/raddb/certs/server.pem ]; then /sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1 fi fi ... However, in FIPS mode this generation fails and no keys are created. This is caused by not being able to generate DH params: # cat /etc/raddb/certs/bootstrap ... if [ ! -e dh ]; then openssl dhparam -out dh 2048 || exit 1 ln -sf /dev/urandom random fi ... In RHEL-8.3 openssl doesn't allow dhparam generation (see BZ#1810911 and BZ#1855822) in FIPS mode because of new requirements for the standard. Execution of openssl command fails and bootstrap script exits. No keys are created and radiusd won't start without them: # ls /etc/raddb/certs/ bootstrap ca.cnf client.cnf dh inner-server.cnf Makefile passwords.mk README server.cnf xpextensions # systemctl start radiusd Job for radiusd.service failed because the control process exited with error code. See "systemctl status radiusd.service" and "journalctl -xe" for details. # cat /var/log/radius/radius.log Wed Jul 22 06:33:26 2020 : Info: Debugger not attached Wed Jul 22 06:33:26 2020 : Error: Unable to check file "/etc/raddb/certs/server.pem": No such file or directory Wed Jul 22 06:33:26 2020 : Error: /etc/raddb/mods-enabled/eap[183]: Failed parsing configuration item "private_key_file" Wed Jul 22 06:33:26 2020 : Error: rlm_eap_tls: Failed initializing SSL context Wed Jul 22 06:33:26 2020 : Error: rlm_eap (EAP): Failed to initialise rlm_eap_tls Wed Jul 22 06:33:26 2020 : Error: /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap" Version-Release number of selected component (if applicable): freeradius-3.0.20-1.module+el8.3.0+6967+0ef5980f openssl-1.1.1g-9.el8 How reproducible: 100% in FIPS mode Steps to Reproduce: 1. Make sure freeradius is not installed and /etc/raddb does not exist. 2. Enable FIPS mode. 2. Install freeradius. 3. Inspect /etc/raddb/certs and start radiusd. Actual results: No keys are created and service fails to start. Expected results: Keys for CA, server and client are created and services starts. Additional info: 1. File with dhparams (dh) is never used in bootstrap script, can its generation be removed? Keys will be generated successfully without it. 2. In RHEL-8.2 dhparam file can be generated even in FIPS and hence this issue is new in 8.3.