Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
.FreeRADIUS now generates FIPS-compliant Diffie-Hellman parameters
Due to new FIPS requirements that do not allow `openssl` to generate Diffie-Hellman (dh) parameters via `dhparam`, the dh parameter generation has been removed from the FreeRADIUS bootstrap scripts and the file, `rfc3526-group-18-8192.dhparam`, is included with the FreeRADIUS packages for all systems, and thus enables FreeRADIUS to start in FIPS mode.
Note that you can customize `/etc/raddb/certs/bootstrap` and `/etc/raddb/certs/Makefile` to restore the DH parameter generation if required.
Description of problem:
During its postinstall scripts freeradius generates keys in /etc/raddb/certs.
# rpm -q freeradius --scripts
...
if [ $1 -eq 1 ]; then # install
# Initial installation
if [ ! -e /etc/raddb/certs/server.pem ]; then
/sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1
fi
fi
...
However, in FIPS mode this generation fails and no keys are created. This is caused by not being able to generate DH params:
# cat /etc/raddb/certs/bootstrap
...
if [ ! -e dh ]; then
openssl dhparam -out dh 2048 || exit 1
ln -sf /dev/urandom random
fi
...
In RHEL-8.3 openssl doesn't allow dhparam generation (see BZ#1810911 and BZ#1855822) in FIPS mode because of new requirements for the standard. Execution of openssl command fails and bootstrap script exits. No keys are created and radiusd won't start without them:
# ls /etc/raddb/certs/
bootstrap ca.cnf client.cnf dh inner-server.cnf Makefile passwords.mk README server.cnf xpextensions
# systemctl start radiusd
Job for radiusd.service failed because the control process exited with error code.
See "systemctl status radiusd.service" and "journalctl -xe" for details.
# cat /var/log/radius/radius.log
Wed Jul 22 06:33:26 2020 : Info: Debugger not attached
Wed Jul 22 06:33:26 2020 : Error: Unable to check file "/etc/raddb/certs/server.pem": No such file or directory
Wed Jul 22 06:33:26 2020 : Error: /etc/raddb/mods-enabled/eap[183]: Failed parsing configuration item "private_key_file"
Wed Jul 22 06:33:26 2020 : Error: rlm_eap_tls: Failed initializing SSL context
Wed Jul 22 06:33:26 2020 : Error: rlm_eap (EAP): Failed to initialise rlm_eap_tls
Wed Jul 22 06:33:26 2020 : Error: /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"
Version-Release number of selected component (if applicable):
freeradius-3.0.20-1.module+el8.3.0+6967+0ef5980f
openssl-1.1.1g-9.el8
How reproducible:
100% in FIPS mode
Steps to Reproduce:
1. Make sure freeradius is not installed and /etc/raddb does not exist.
2. Enable FIPS mode.
2. Install freeradius.
3. Inspect /etc/raddb/certs and start radiusd.
Actual results:
No keys are created and service fails to start.
Expected results:
Keys for CA, server and client are created and services starts.
Additional info:
1. File with dhparams (dh) is never used in bootstrap script, can its generation be removed? Keys will be generated successfully without it.
2. In RHEL-8.2 dhparam file can be generated even in FIPS and hence this issue is new in 8.3.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: freeradius:3.0 security and bug fix update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2020:4799
Description of problem: During its postinstall scripts freeradius generates keys in /etc/raddb/certs. # rpm -q freeradius --scripts ... if [ $1 -eq 1 ]; then # install # Initial installation if [ ! -e /etc/raddb/certs/server.pem ]; then /sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1 fi fi ... However, in FIPS mode this generation fails and no keys are created. This is caused by not being able to generate DH params: # cat /etc/raddb/certs/bootstrap ... if [ ! -e dh ]; then openssl dhparam -out dh 2048 || exit 1 ln -sf /dev/urandom random fi ... In RHEL-8.3 openssl doesn't allow dhparam generation (see BZ#1810911 and BZ#1855822) in FIPS mode because of new requirements for the standard. Execution of openssl command fails and bootstrap script exits. No keys are created and radiusd won't start without them: # ls /etc/raddb/certs/ bootstrap ca.cnf client.cnf dh inner-server.cnf Makefile passwords.mk README server.cnf xpextensions # systemctl start radiusd Job for radiusd.service failed because the control process exited with error code. See "systemctl status radiusd.service" and "journalctl -xe" for details. # cat /var/log/radius/radius.log Wed Jul 22 06:33:26 2020 : Info: Debugger not attached Wed Jul 22 06:33:26 2020 : Error: Unable to check file "/etc/raddb/certs/server.pem": No such file or directory Wed Jul 22 06:33:26 2020 : Error: /etc/raddb/mods-enabled/eap[183]: Failed parsing configuration item "private_key_file" Wed Jul 22 06:33:26 2020 : Error: rlm_eap_tls: Failed initializing SSL context Wed Jul 22 06:33:26 2020 : Error: rlm_eap (EAP): Failed to initialise rlm_eap_tls Wed Jul 22 06:33:26 2020 : Error: /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap" Version-Release number of selected component (if applicable): freeradius-3.0.20-1.module+el8.3.0+6967+0ef5980f openssl-1.1.1g-9.el8 How reproducible: 100% in FIPS mode Steps to Reproduce: 1. Make sure freeradius is not installed and /etc/raddb does not exist. 2. Enable FIPS mode. 2. Install freeradius. 3. Inspect /etc/raddb/certs and start radiusd. Actual results: No keys are created and service fails to start. Expected results: Keys for CA, server and client are created and services starts. Additional info: 1. File with dhparams (dh) is never used in bootstrap script, can its generation be removed? Keys will be generated successfully without it. 2. In RHEL-8.2 dhparam file can be generated even in FIPS and hence this issue is new in 8.3.