8 Aug
2023
8 Aug
'23
7:22 a.m.
Try ldd on the binary? To use a nonstandard path for those libraries may require option passed to configure -c Sent from my iPhone > On Aug 8, 2023, at 07:09, Maciej Kowalka <maciejkowalkati@gmail.com> wrote: > > You might be right, the openssl I installed might not be used by > freeradius, I'm not a Linux expert neither a freeradius expert, I'm just > trying diffent stuff to make it work, currently without success. So if > that's the case wold the openssl be broken in 3 versions 3.0.9 3.0.7 and > 3.0.2? That are downloaded with freeradius? Or how do I check the version > of openssl used by freeradius? > > > wt., 8 sie 2023, 12:46 użytkownik marki <jm+freeradiususer@roth.lu> napisał: > >> I admit I didn't read the entire history of this thread but running >> openssl via the command line vs using an application (here: freeradius) >> (dynamically) linked against the openssl *libraries* is something very >> different. >> >>> On August 8, 2023 12:39:00 PM GMT+02:00, Maciej Kowalka < >>> maciejkowalkati@gmail.com> wrote: >>> wt., 8 sie 2023, 12:26 użytkownik Gerald Vogt <vogt@spamcop.net> napisał: >>> >>>> On 08.08.23 11:27, Maciej Kowalka wrote: >>>>> wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka < >>>> maciejkowalkati@gmail.com> >>>>> napisał: >>>>> >>>>>> wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt@spamcop.net> >>>> napisał: >>>>>> >>>>>>> On 08.08.23 07:32, Maciej Kowalka wrote: >>>>>>>> pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka < >>>>>>> maciejkowalkati@gmail.com> >>>>>>>> napisał: >>>>>>>> >>>>>>>>> >>>>>>>>> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok < >>>>>>> aland@deployingradius.com> >>>>>>>>> napisał: >>>>>>>>> >>>>>>>>>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka < >>>> maciejkowalkati@gmail.com >>>>>>>> >>>>>>>>>> wrote: >>>>>>>>>>> Ok, to check if my certificates are not ok I've tried the >>>>>>> certificates >>>>>>>>>> that >>>>>>>>>>> are created during installation of freeradius and I get the same >>>>>>> warning >>>>>>>>>>> about the untrusted certs. >>>>>>>>>> >>>>>>>>>> Then something else is going wrong. The default >> configuration >>>> and >>>>>>>>>> certificates do not use any intermediate certs. And the server >> is >>>>>>>>>> configured to trust the certs. >>>>>>>>>> >>>>>>>>>>> Are they supposed to work correctly, without any problems? >>>>>>>>>>> Or it might be a openssl bug? When I use openssl command to >> check >>>>>>>>>>> certificates I get no errors, all are verified "ok". >>>>>>>>>> >>>>>>>>>> Something is broken in your local system. I don't know what. >>>>>>>>>> >>>>>>>>>> For now, just ignore the errors. >>>>>>>>>> >>>>>>>>>> Alan DeKok. >>>>>>>>>> >>>>>>>>> >>>>>>>>> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I >>>> get >>>>>>> the >>>>>>>>> same warning as on current machine. >>>>>>>>> >>>>>>>>> I also installed freeradous 3.0 on a centos 7 but on it I don't >> get >>>> eny >>>>>>>>> warning, even with mine intermediate CA certs. >>>>>>>>> So I think it might be something with the OS or the radius itself. >>>> I'll >>>>>>>>> try running freeradius 3.0 on Ubuntu to check if has the same >> result. >>>>>>>>> >>>>>>>> >>>>>>>> To summarize, I've tested 4 different Linux systems and freeradius >>>>>>>> configurations for eap-tls: >>>>>>>> >>>>>>>> - Debian 12 and freeradius 3.2.3 default configuration and default >>>> certs >>>>>>>> gives warnings, >>>>>>>> >>>>>>>> - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both >> with >>>>>>> stock >>>>>>>> configuration and certs also gives warnings, >>>>>>>> >>>>>>>> - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either >> default >>>>>>> certs >>>>>>>> or my certs works without warnings, >>>>>>>> >>>>>>>> - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings. >>>>>>>> >>>>>>>> Only on centos 7 I don't get the certificate chain untrusted >> warning. >>>>>>>> All the systems are freshly installed with just changed default >>>>>>>> authentication to eap and added switch to clients. >>>>>>>> >>>>>>>> Is the package for Centos in any special way different than the >> rest? >>>>>>> >>>>>>> Each operating system uses a different version of openssl... >>>>>>> >>>>>>> Gerald >>>>>>> >>>>>> >>>>>> They do use different openssl version, >>>>>> Debian - 3.0.9 >>>>>> Ubuntu - 3.0.2 >>>>>> Rocky - 3.0.7 >>>>>> Centos - 1.0.2k later upgraded to 3.0.0 >>>>>> >>>>>> Can you share what version of openssl should be used? If that makes >>>>>> difference? >>>>>> >>>>> >>>>> Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the >> same >>>>> warnings. >>>>> Now the only difference is the os itself >>>> >>>> You are aware, that installing some version and using it are two >>>> different things? Did you verify that freeradius is actually using that >>>> version? >>>> >>>> -Gerald >>>> >>> >>> I've renamed the usr/bin/openssl to openssl.old and added the 1.0.2 one to >>> the $PATH, run openssl version command and it returned the 1.0.2k version, >>> I don't know what else could I do. >>> >>> Maciej >>> >>>> >>> - >>> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html