<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-7">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
I had a specific problem running freeradius 2.2.5/2.2.6 in OpenBSD.<br>
<br>
rlm_eap_tls: Couldn't set ephemeral RSA key
<br>
rlm_eap: Failed to initialize type tls
<br>
/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"<br>
<br>
After playing around with the source I've managed to make it work by
doing:<br>
<br>
<pre>--- ./src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c Tue Nov 18 21:56:52 2014
+++ /root/rlm_eap_tls.c Wed Dec 31 10:55:43 2014
@@ -203,10 +203,16 @@
RSA *rsa;
rsa = RSA_generate_key(512, RSA_F4, NULL, NULL);
-
- if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
- radlog(L_ERR, "rlm_eap_tls: Couldn't set ephemeral RSA key");
+ if (rsa == NULL) {
+ radlog(L_ERR, "rlm_eap_tls: Couldn't generate RSA key");
return -1;
+ }
+
+ if (SSL_CTX_need_tmp_RSA(ctx)) {
+ if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
+ radlog(L_ERR, "rlm_eap_tls: Couldn't set ephemeral RSA key");
+ return -1;
+ }
}
RSA_free(rsa);
Maybe a check for SSL_CTX_need_tmp_RSA should be added before calling SSL_CTX_set_tmp_rsa?
You can also read the relevant thread in OpenBSD mailing list here
<meta http-equiv="content-type" content="text/html; charset=iso-8859-7"><a class="moz-txt-link-freetext" href="http://marc.info/?l=openbsd-misc&m=141996016020120&w=2">http://marc.info/?l=openbsd-misc&m=141996016020120&w=2</a>
thanks for any comments on this,
Giannis
</pre>
<div class="moz-forward-container">
<br>
<br>
-------- Forwarded Message --------
<table class="moz-email-headers-table" border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Subject:
</th>
<td>Re: freeradius problem - ephemeral RSA key generation</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Date: </th>
<td>Wed, 31 Dec 2014 10:39:17 +0200</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">To: </th>
<td><a class="moz-txt-link-abbreviated" href="mailto:misc@openbsd.org">misc@openbsd.org</a></td>
</tr>
</tbody>
</table>
<br>
<br>
<pre>On 31/12/14 04:37, Joel Sing wrote:
> On Wednesday 31 December 2014, Kapetanakis Giannis wrote:
>> Hi,
>>
>> After upgrading to latest snapshot I have problems with freeradius 2.2.5
>> package not starting.
>>
>> Especially the problem occurs in loading of module eap-tls
>>
>> rlm_eap_tls: Couldn't set ephemeral RSA key
>> rlm_eap: Failed to initialize type tls
>> /etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
>>
>> I've tried installing version 2.2.6 but I have the same problem.
>>
>> The program fails at:
>> src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
>>
>> /*
>> * Generate ephemeral RSA keys.
>> */
>> static int generate_eph_rsa_key(SSL_CTX *ctx)
>> {
>> RSA *rsa;
>>
>> rsa = RSA_generate_key(512, RSA_F4, NULL, NULL);
>>
>> if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
>> radlog(L_ERR, "rlm_eap_tls: Couldn't set ephemeral RSA key");
>> return -1;
>> }
>>
>> RSA_free(rsa);
>> return 0;
>> }
>>
>> is this related to freeradius or something with OpenBSD ssl libraries?
> Support for ephemeral RSA keys was removed from LibreSSL, since it should only
> be needed for export ciphers (no longer supported) or otherwise violating
> RFCs (as at first glance FreeRADIUS appears to do above).
>
> Since you're already looking at the code, does it set SSL_OP_EPHEMERAL_RSA
> anywhere? If not, the above function is probably a noop. At the very least it
> is likely buggy since they are supposed to call SSL_CTX_need_tmp_RSA() to see
> if the temporary RSA key should be set, before calling SSL_CTX_set_tmp_rsa().
>
Well I've already made it working last night by adding a check
for SSL_CTX_need_tmp_RSA before calling SSL_CTX_set_tmp_rsa
So if I get it right, since I'm using HIGH ciphersuite I will never need
an ephemeral RSA key correct?
Is there a case were that SSL_CTX_need_tmp_RSA() will be true?
SSL_OP_EPHEMERAL_RSA is not defined anywhere.
G
</pre>
<br>
</div>
<br>
</body>
</html>