Bug 246058
Summary: | Freeradius fails to load the CRL when requested to with OpenSSL libs error 3. | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | paolo gaiardelli <paolo.gaiardelli> | ||||
Component: | freeradius | Assignee: | John Dennis <jdennis> | ||||
Status: | CLOSED WONTFIX | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 4.0 | ||||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | i386 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-06-20 16:19:22 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
paolo gaiardelli
2007-06-28 07:41:45 UTC
I have been tested freeradius with a CA hierarchy and CRL lists last year and it is working as long as the child also has the whole CA hierarchy and the issuing certificate. There might be a change in newer openssl libararies, therefore: Have you tried to use the openssl library from /usr/local with the freeradius version from the RHEL-4 RPM? Is this working? (In reply to comment #1) > I have been tested freeradius with a CA hierarchy and CRL lists last year and it > is working as long as the child also has the whole CA hierarchy and the issuing > certificate. > > There might be a change in newer openssl libararies, therefore: > Have you tried to use the openssl library from /usr/local with the freeradius > version from the RHEL-4 RPM? Is this working? Hi, if you mean using alternate openssl libraries compiled from the latest stable sources and installed in /usr/local, the answer is yes. The freeradius RHEL-4 RPM sources compiled against these libs do load the CRL correctly. If , on the other hand, you mean there is an official alternate openssl rpm that installs in /usr/local, then I'm not aware of it. I also seem to have evidence that a previous official freeradius version was loading the CRL correctly: I asked somebody who was working in place of me last year and he confirms it. No further data regarding that, tho. If there's something else you want me to do, I'm available, anytime. Bye, Paolo Even with the actual freeradius and openssl packages I can not reproduce your problem. I am using a CA hierarchy and it is working as expected. Can you please build a small reproducer? hi sure. It is going to take a few days, but I can attach a tarball with a set of original rpms (freeradius + openssl) + configuration files + additional info / logs, if this is ok for you. Yes, this is ok for me. Do you have a test case for me, now? Created attachment 178781 [details] test case for Bug 246058 this is going to overwrite almost everything in etc/raddb if you unpack it inside /etc. other than that nothing else happens when you untar the ball. There are RPMs inside. (In reply to comment #6) > Do you have a test case for me, now? hi, my apologies for the exceedingly long wait, here's a tarbz2ball (previous comment). You can find a raddb directory with a README, conf files, rpms, a CA with certs and key pairs on the inside. README contents: hi here you can find a copy of the /etc/raddb directory along with the involved rpms. NOTES: - the /etc/raddb/certs/crl directory contains a crl, a CA cert (with a copy of the crl on its tail), a server cert / key pair, and the client1.p12 file you can use with eapol_test (from the wpa_supplicant package, make eapol_test to make it) to reproduce the the problem. - /etc/raddb/certs/ca contains the CA structure. It's not really needed now. - clients.conf and huntgroups has to be modified for the right IP to use.. - for everything CA related the password is 'whatever' - the client1.p12 identity is 'daffy' USAGE: - install the rpms, untar the ball in the right place, compile eapol_test, run a test with EAP TLS authentication. - if you comment check_crl = yes in eap.conf, the authentication works, with an uncommented check_crl = yes line, it fails. - eapol_test.conf config file: network={ key_mgmt=IEEE8021X eap=TLS identity="daffy" #password="a" private_key="/tmp/downloads/client1.p12" ca_cert="/tmp/downloads/testroot.pem" private_key_passwd="whatever" #private_key_passwd="" } - eapol_test command line: ./eapol_test -a44.128.5.253 -s radius -c eapol_test.conf -n of course the IP has to be replaced. - For any questions/problems, I'm available. transferred from Thomas Woerner to John Dennis, requested by Steve Grubb. Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. Please See https://access.redhat.com/support/policy/updates/errata/ If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue. |