On Dec 16, 2020, at 7:37 PM, Kostya Berger via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Ok, checked the same with certificate created using the /etc/raddb/certs folder from the distribution downloaded from the Freeradius site. I WAS able to create the needed certs + keys + client.p12 bundle for Android phone -- so far so good :) But now the server returns the same error. So the problem was NOT in the certs/keys I supplied, but somewhere else.I wonder if that could be LibreSSL problem? OpenBSD is using that while FreeBSD uses OpenSSL and Freeradius works fine there.
Well, that is likely it then. :(
And why does it validate user certificate TWICE?
No idea. Our "Verifying client certificate" code is in a callback. i.e. we call LibreSSL / OpenSSL to do TLS magic, and it runs our callback whenever it chooses to run our callback. We have no control over that.
Here it is in the log:........................... (5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename} (5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}: (5) eap_tls: EXPAND %{TLS-Client-Cert-Filename} (5) eap_tls: --> /tmp/radiusd/radiusd.client.UCCKLTa6 (5) eap_tls: Program returned code (0) and output '/tmp/radiusd/radiusd.client.UCCKLTa6: OK'
That's good.
... (5) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}
That is weird.
(5) eap_tls: Executing: /usr/bin/openssl verify -CAfile /etc/raddb/certs/ca.crt %{TLS-Client-Cert-Filename}: (5) eap_tls: EXPAND %{TLS-Client-Cert-Filename} (5) eap_tls: --> /tmp/radiusd/radiusd.client.UCCKLTa6 Error opening certificate file /tmp/radiusd/radiusd.client.UCCKLTa6 9739695490448:error:02FFF002:system library:func(4095):No such file or directory:/usr/src/lib/libcrypto/bio/bss_file.c:255:fopen('/tmp/radiusd/radiusd.client.UCCKLTa6', 'r') 9739695490448:error:20FFF002:BIO routines:CRYPTO_internal:system lib:/usr/src/lib/libcrypto/bio/bss_file.c:257: unable to load certificate (5) eap_tls: ERROR: Program returned code (2) and output ''
Hmm... the code which prints "Verifying client certificate" does: * write cert to file * print error if we can't! * print "verifying client certificate" * run the program So there shouldn't be any code path where it runs the program, *and* the file doesn't exist. Alan DeKok.