TLS failures in freeradius 3.0.12

[Andrew Daviel]

We have been running 3.0.4 on CentOS, authenticating against 
openldap 2.3.43 on Centos 5. That seemed to work reliably, but we needed 
functionality only available in 3.0.11.

I build 3.0.12 as an RPM on CentOS 6 using the 3.0.12 tarball from 
github and the 3.0.4 specfile as a template, so that the same 
directories and settings were used as for 3.0.4.

We are using ldap on port 389 with start_tls
The client certificate is loaded from a PEM file in /etc/raddb/certs/
The server certificate is loaded from the NSS database 
/etc/raddb/certs/cert8.db

Initially after radiusd is started, authentication works properly.
We see in debug output
...
(1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
...
rlm_ldap (ldap): Opening additional connection (6), 1 of 30 pending slots used
rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
TLS: certificate '/etc/raddb/certs/xxx' successfully loaded from moznss database.
rlm_ldap (ldap): Bind successful
..(1) Sent Access-Accept Id 170

after running for a bit, with the same radius client request, we get

TLS: could not shutdown NSS - error -8053:NSS could not shutdown. 
Objects are still in use..
rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase 
"spare"
rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending 
slots used
rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
TLS: could not initialize moznss - error -8018:Unknown PKCS #11 error..
TLS: could not perform TLS system initialization.
TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error.
TLS: can't create ssl handle.
rlm_ldap (ldap): Could not start TLS: Connect error
... (2) Sent Access-Reject Id 217


On the openldap server in debug mode, I get an error
TLS trace: SSL3 alert read:warning:close notify
ldap_read: want=8, got=0


Any ideas ?
The openldap logs are somewhat cryptic


-- 
Andrew Daviel, TRIUMF, Canada