RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1859527 - freeradius can't generate dhparams with OpenSSL in FIPS
Summary: freeradius can't generate dhparams with OpenSSL in FIPS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: freeradius
Version: 8.3
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: 8.0
Assignee: Alex Scheel
QA Contact: Filip Dvorak
lmcgarry
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-22 10:38 UTC by Ondrej Moriš
Modified: 2020-11-04 03:58 UTC (History)
7 users (show)

Fixed In Version: freeradius-3.0-8030020200806223029.1e4bbb35
Doc Type: Bug Fix
Doc Text:
.FreeRADIUS now generates FIPS-compliant Diffie-Hellman parameters Due to new FIPS requirements that do not allow `openssl` to generate Diffie-Hellman (dh) parameters via `dhparam`, the dh parameter generation has been removed from the FreeRADIUS bootstrap scripts and the file, `rfc3526-group-18-8192.dhparam`, is included with the FreeRADIUS packages for all systems, and thus enables FreeRADIUS to start in FIPS mode. Note that you can customize `/etc/raddb/certs/bootstrap` and `/etc/raddb/certs/Makefile` to restore the DH parameter generation if required.
Clone Of:
Environment:
Last Closed: 2020-11-04 03:58:12 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4799 0 None None None 2020-11-04 03:58:21 UTC

Description Ondrej Moriš 2020-07-22 10:38:58 UTC 
Description of problem:

During its postinstall scripts freeradius generates keys in /etc/raddb/certs. 

# rpm -q freeradius --scripts
...
if [ $1 -eq 1 ]; then           # install
  # Initial installation
  if [ ! -e /etc/raddb/certs/server.pem ]; then
    /sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1
  fi
fi
...

However, in FIPS mode this generation fails and no keys are created. This is caused by not being able to generate DH params:

# cat  /etc/raddb/certs/bootstrap
...
if [ ! -e dh ]; then
  openssl dhparam -out dh 2048 || exit 1
  ln -sf /dev/urandom random
fi
...

In RHEL-8.3 openssl doesn't allow dhparam generation (see BZ#1810911 and BZ#1855822) in FIPS mode because of new requirements for the standard. Execution of openssl command fails and bootstrap script exits. No keys are created and radiusd won't start without them:

# ls /etc/raddb/certs/
bootstrap  ca.cnf  client.cnf  dh  inner-server.cnf  Makefile  passwords.mk  README  server.cnf  xpextensions

# systemctl start radiusd
Job for radiusd.service failed because the control process exited with error code.
See "systemctl status radiusd.service" and "journalctl -xe" for details.

# cat /var/log/radius/radius.log 
Wed Jul 22 06:33:26 2020 : Info: Debugger not attached
Wed Jul 22 06:33:26 2020 : Error: Unable to check file "/etc/raddb/certs/server.pem": No such file or directory
Wed Jul 22 06:33:26 2020 : Error: /etc/raddb/mods-enabled/eap[183]: Failed parsing configuration item "private_key_file"
Wed Jul 22 06:33:26 2020 : Error: rlm_eap_tls: Failed initializing SSL context
Wed Jul 22 06:33:26 2020 : Error: rlm_eap (EAP): Failed to initialise rlm_eap_tls
Wed Jul 22 06:33:26 2020 : Error: /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"


Version-Release number of selected component (if applicable):

freeradius-3.0.20-1.module+el8.3.0+6967+0ef5980f
openssl-1.1.1g-9.el8

How reproducible:

100% in FIPS mode

Steps to Reproduce:

1. Make sure freeradius is not installed and /etc/raddb does not exist.
2. Enable FIPS mode.
2. Install freeradius.
3. Inspect /etc/raddb/certs and start radiusd.

Actual results:

No keys are created and service fails to start.

Expected results:

Keys for CA, server and client are created and services starts.

Additional info:

1. File with dhparams (dh) is never used in bootstrap script, can its generation be removed? Keys will be generated successfully without it.

2. In RHEL-8.2 dhparam file can be generated even in FIPS and hence this issue is new in 8.3.
Comment 1 Alex Scheel 2020-07-22 11:13:26 UTC 

*** This bug has been marked as a duplicate of bug 1857230 ***
Comment 2 Alex Scheel 2020-07-22 11:51:34 UTC 
Per discussion with Ondrej on IRC, this isn't a duplicate. Clarifying subject.
Comment 4 Alex Scheel 2020-08-07 16:49:33 UTC 
Filip,

Still looking for qa_ack+ so we can attach it to the errata.
Comment 30 errata-xmlrpc 2020-11-04 03:58:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: freeradius:3.0 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4799
Note You need to log in before you can comment on or make changes to this bug.