Hi everybody, I was searching for some time now and I found a lot of messages from people who wanted to replace the OpenSSL dependencies in FreeRADIUS with GnuTLS. But so far it seems, that nobody really did that, is that right? Or has there been work on that and it failed for some reason? To be honest I have absolutely no idea how complicated that will be but at least I don't expect it to be easy. :) Regards Carolin
Carolin Latze wrote:
I was searching for some time now and I found a lot of messages from people who wanted to replace the OpenSSL dependencies in FreeRADIUS with GnuTLS. But so far it seems, that nobody really did that, is that right? Or has there been work on that and it failed for some reason? To be honest I have absolutely no idea how complicated that will be but at least I don't expect it to be easy. :)
It's hard. The GNUTLS stuff contains wrappers for OpenSSL. However, they also got a number of things in their API wrong. (From what I recall about the last time I checked). This made using GnuTLS difficult. Hostap has wrapper functions around OpenSSL, GnuTLS, and their own implementation of SSL. It may be worth investigating that API, too. Alan DeKok.
Previously Alan DeKok wrote:
Carolin Latze wrote:
I was searching for some time now and I found a lot of messages from people who wanted to replace the OpenSSL dependencies in FreeRADIUS with GnuTLS. But so far it seems, that nobody really did that, is that right? Or has there been work on that and it failed for some reason? To be honest I have absolutely no idea how complicated that will be but at least I don't expect it to be easy. :)
It's hard. The GNUTLS stuff contains wrappers for OpenSSL. However, they also got a number of things in their API wrong. (From what I recall about the last time I checked). This made using GnuTLS difficult.
I've also seen a lot of timeout-related problems with MTAs compiled to use GNUTLS. Given the choice I'ld recommend everyone to use OpenSSL Wichert. -- Wichert Akkerman <wichert@wiggy.net> It is simple to make things. http://www.wiggy.net/ It is hard to make things simple.
It's hard. The GNUTLS stuff contains wrappers for OpenSSL. However, they also got a number of things in their API wrong. (From what I recall about the last time I checked). This made using GnuTLS difficult.
I've also seen a lot of timeout-related problems with MTAs compiled to use GNUTLS. Given the choice I'ld recommend everyone to use OpenSSL
Unfortunately it seems that we don't have any choice. We need TLS 1.2 which seems not to be supported in OpenSSL. So, we will start with modifying the EAP-TLS module in order to use GnuTLS. I know it is a terrible solution to have both TLS libraries in FreeRADIUS, but at the moment, we don't have the resources to try to migrate FreeRADIUS completely. I hope that we won't see side effects when migrating one module - we'll see... Is there already any known problem with that approach? @Jouni: I will start grepping through wpa_supplicant and hope that I can reuse as much code as possible. Carolin
LATZE Carolin wrote:
Unfortunately it seems that we don't have any choice. We need TLS 1.2 which seems not to be supported in OpenSSL. So, we will start with modifying the EAP-TLS module in order to use GnuTLS. I know it is a terrible solution to have both TLS libraries in FreeRADIUS, but at the moment, we don't have the resources to try to migrate FreeRADIUS completely. I hope that we won't see side effects when migrating one module - we'll see... Is there already any known problem with that approach?
No. My suggestion is to use "git" for revision control. This will make it easy to merge any changes. Then, just butcher the source code until it works. :) Alan DeKok.
On Tue, Mar 24, 2009 at 10:40:47AM -0700, Alan DeKok wrote:
It's hard. The GNUTLS stuff contains wrappers for OpenSSL. However, they also got a number of things in their API wrong. (From what I recall about the last time I checked). This made using GnuTLS difficult.
If I remember correctly, the OpenSSL wrapper in GnuTLS is of not much help if you want to use TLS for something else than a TCP socket, so it is unlikely to help with FreeRADIUS.
Hostap has wrapper functions around OpenSSL, GnuTLS, and their own implementation of SSL. It may be worth investigating that API, too.
If nothing else, that wrapper shows how GnuTLS can be used with EAP. Anyway, I'm planning on cleaning up the TLS library API in hostapd/wpa_supplicant a bit, so if there is something that would help with FreeRADIUS, that could be considered at the same time. The TLS wrapper code should already have quite limited dependencies on other code from hostapd/wpa_supplicant, so from that view point, I would also expect it to work more or less as-is with FreeRADIUS as long as you are fine with selecting the TLS library at build time. -- Jouni Malinen PGP id EFC895FA
Hi Jouni
If nothing else, that wrapper shows how GnuTLS can be used with EAP. Anyway, I'm planning on cleaning up the TLS library API in hostapd/wpa_supplicant a bit, so if there is something that would help with FreeRADIUS, that could be considered at the same time. The TLS wrapper code should already have quite limited dependencies on other code from hostapd/wpa_supplicant, so from that view point, I would also expect it to work more or less as-is with FreeRADIUS as long as you are fine with selecting the TLS library at build time.
that would be fine for me. At the moment, I am comparing OpenSSL and GnuTLS methods, in order to replace one with the other(s). That will probably lead to the desired goal, but is rather complicated. I hope I finish that approach next week and can check it... but I don't expect it will run immediately as I am a bad programmer. That's why I also started to investigate wpa_supplicant again (that sounds like the easier way). There are a lot of tls related files and a lot of eap_server files (for most of the EAP methods). There is one file called eap_tls.c in eap_server. Is that the one to start with? It includes to tls related header files and from my understanding those provide generic interfaces for the tls implementations. Is that right? Regards Carolin
participants (5)
-
Alan DeKok -
Carolin Latze -
Jouni Malinen -
LATZE Carolin -
Wichert Akkerman