3.0.10: decrypting RSA private key failure
Stefan Winter
stefan.winter at restena.lu
Mon Jan 11 10:12:48 CET 2016
Hi,
now this is strange.
I'm in the middle of a certificate rollover. I have protected the old
(1024 bit RSA) and new (4096 bit RSA) key with the same passphrase.
Using "openssl rsa" on the FreeRADIUS box, I can decrypt both keys.
When starting FreeRADIUS with the old cert+key, it starts up. When
trying with the new cert+key:
# Instantiating module "eap-staff" from file
/usr/local/freeradius/config/raddb/mods-enabled/eap-staff
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-staff"
}
tls-config tls-staff {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
ca_path = "/usr/local/freeradius/config/raddb/certs/STAFF-CA/"
pem_file_type = yes
private_key_file =
"/usr/local/freeradius/config/raddb/staff/cert-srv.key"
certificate_file =
"/usr/local/freeradius/config/raddb/staff/cert-srv.pem"
private_key_password = <<< secret >>>
dh_file = "/usr/local/freeradius/config/raddb/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1300
include_length = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
name = "eduroam-staff"
max_entries = 128
persist_dir = "/var/log/radius/tlscache-eduroam-staff"
}
verify {
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
tls: Failed reading private key file
/usr/local/freeradius/config/raddb/staff/cert-srv.key:error:0B080074:x509 certificate
routines:X509_check_private_key:key values mismatch
rlm_eap_tls: Failed initializing SSL context
rlm_eap (eap-staff): Failed to initialise rlm_eap_tls
/usr/local/freeradius/config/raddb/mods-enabled/eap-staff[1]:
Instantiation failed for module "eap-staff"
Huh? The passphrase is identical, I'm pointing it to the correct
filename, openssl can decode it - but FreeRADIUS can't?
Looking at the encrypted private keys, I do see a small difference:
OLD:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,EC24580B720DE947
[...]
-----END RSA PRIVATE KEY-----
NEW:
-----BEGIN ENCRYPTED PRIVATE KEY-----
[...]
-----END ENCRYPTED PRIVATE KEY-----
Both decode into:
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
openssl can handle both. Any clue why FreeRADIUS doesn't? This is a
3.0.10 installation.
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160111/9dd12d20/attachment.sig>
More information about the Freeradius-Users
mailing list