Error starting radiusd when specifying private_key_password (INTERNAL)

[Alan DeKok]

On Aug 21, 2020, at 10:06 AM, Per.Weisteen at telenor.com wrote:
> I've installed FreeRADIUS 3.0.13 on CentOS 7 and generated my own set of CA, intermediate and server certificates using openssl version 1.0.2k-fips.
> Certificates etc is generated using https://jamielinux.com/docs/openssl-certificate-authority/ modified with info from https://devcentral.f5.com/s/articles/building-an-openssl-certificate-authority-introduction-and-design-considerations-for-elliptical-curves-27720

  That should be fine.

> 
> 
> I've configured mods-enabled/eap using a private_key_password with a length of 20 characters.
> Starting in debug mode I get error messages :
> 
> tls: Failed reading private key file "/etc/raddb/certs/oslo-radius01v4-test.nsc.no.pem"
> tls: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
> tls: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error
> tls: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
> tls: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
> tls: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
> rlm_eap_tls: Failed initializing SSL context
> rlm_eap (EAP): Failed to initialise rlm_eap_tls
> /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"

  Weird.  There is no limit on the length of the private_key_password.

  Are there special characters in it?  You might need to quote the password, and escape things.  i.e. instead of:

	private_key_password = abcd'def

do

	private_key_password = "abc'def"

> If I comment out the private_key_password statement I'm prompted for the password instead :
> 
> Enter PEM pass phrase:
> 
> Using the same password as specified in private_key_password the startup seems to start ok.
> 
> Any suggestions ?

  We just read the password from the configuration file and pass it to OpenSSL.  There's very little processing done by us.

  Alan DeKok.