8 Aug
2023
8 Aug
'23
7:42 a.m.
It returned libssl.so.3 so I assume it still uses the original openssl. That's unfortunate. Any other ideas what to check/change? Maciej wt., 8 sie 2023, 13:22 użytkownik Coy Hile <coy.hile@coyhile.com> napisał: > Try ldd on the binary? To use a nonstandard path for those libraries may > require option passed to configure > > -c > > Sent from my iPhone > > > On Aug 8, 2023, at 07:09, Maciej Kowalka <maciejkowalkati@gmail.com> > wrote: > > > > You might be right, the openssl I installed might not be used by > > freeradius, I'm not a Linux expert neither a freeradius expert, I'm just > > trying diffent stuff to make it work, currently without success. So if > > that's the case wold the openssl be broken in 3 versions 3.0.9 3.0.7 and > > 3.0.2? That are downloaded with freeradius? Or how do I check the version > > of openssl used by freeradius? > > > > > > wt., 8 sie 2023, 12:46 użytkownik marki <jm+freeradiususer@roth.lu> > napisał: > > > >> I admit I didn't read the entire history of this thread but running > >> openssl via the command line vs using an application (here: freeradius) > >> (dynamically) linked against the openssl *libraries* is something very > >> different. > >> > >>> On August 8, 2023 12:39:00 PM GMT+02:00, Maciej Kowalka < > >>> maciejkowalkati@gmail.com> wrote: > >>> wt., 8 sie 2023, 12:26 użytkownik Gerald Vogt <vogt@spamcop.net> > napisał: > >>> > >>>> On 08.08.23 11:27, Maciej Kowalka wrote: > >>>>> wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka < > >>>> maciejkowalkati@gmail.com> > >>>>> napisał: > >>>>> > >>>>>> wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt@spamcop.net> > >>>> napisał: > >>>>>> > >>>>>>> On 08.08.23 07:32, Maciej Kowalka wrote: > >>>>>>>> pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka < > >>>>>>> maciejkowalkati@gmail.com> > >>>>>>>> napisał: > >>>>>>>> > >>>>>>>>> > >>>>>>>>> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok < > >>>>>>> aland@deployingradius.com> > >>>>>>>>> napisał: > >>>>>>>>> > >>>>>>>>>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka < > >>>> maciejkowalkati@gmail.com > >>>>>>>> > >>>>>>>>>> wrote: > >>>>>>>>>>> Ok, to check if my certificates are not ok I've tried the > >>>>>>> certificates > >>>>>>>>>> that > >>>>>>>>>>> are created during installation of freeradius and I get the > same > >>>>>>> warning > >>>>>>>>>>> about the untrusted certs. > >>>>>>>>>> > >>>>>>>>>> Then something else is going wrong. The default > >> configuration > >>>> and > >>>>>>>>>> certificates do not use any intermediate certs. And the server > >> is > >>>>>>>>>> configured to trust the certs. > >>>>>>>>>> > >>>>>>>>>>> Are they supposed to work correctly, without any problems? > >>>>>>>>>>> Or it might be a openssl bug? When I use openssl command to > >> check > >>>>>>>>>>> certificates I get no errors, all are verified "ok". > >>>>>>>>>> > >>>>>>>>>> Something is broken in your local system. I don't know what. > >>>>>>>>>> > >>>>>>>>>> For now, just ignore the errors. > >>>>>>>>>> > >>>>>>>>>> Alan DeKok. > >>>>>>>>>> > >>>>>>>>> > >>>>>>>>> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and > I > >>>> get > >>>>>>> the > >>>>>>>>> same warning as on current machine. > >>>>>>>>> > >>>>>>>>> I also installed freeradous 3.0 on a centos 7 but on it I don't > >> get > >>>> eny > >>>>>>>>> warning, even with mine intermediate CA certs. > >>>>>>>>> So I think it might be something with the OS or the radius > itself. > >>>> I'll > >>>>>>>>> try running freeradius 3.0 on Ubuntu to check if has the same > >> result. > >>>>>>>>> > >>>>>>>> > >>>>>>>> To summarize, I've tested 4 different Linux systems and freeradius > >>>>>>>> configurations for eap-tls: > >>>>>>>> > >>>>>>>> - Debian 12 and freeradius 3.2.3 default configuration and default > >>>> certs > >>>>>>>> gives warnings, > >>>>>>>> > >>>>>>>> - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both > >> with > >>>>>>> stock > >>>>>>>> configuration and certs also gives warnings, > >>>>>>>> > >>>>>>>> - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either > >> default > >>>>>>> certs > >>>>>>>> or my certs works without warnings, > >>>>>>>> > >>>>>>>> - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings. > >>>>>>>> > >>>>>>>> Only on centos 7 I don't get the certificate chain untrusted > >> warning. > >>>>>>>> All the systems are freshly installed with just changed default > >>>>>>>> authentication to eap and added switch to clients. > >>>>>>>> > >>>>>>>> Is the package for Centos in any special way different than the > >> rest? > >>>>>>> > >>>>>>> Each operating system uses a different version of openssl... > >>>>>>> > >>>>>>> Gerald > >>>>>>> > >>>>>> > >>>>>> They do use different openssl version, > >>>>>> Debian - 3.0.9 > >>>>>> Ubuntu - 3.0.2 > >>>>>> Rocky - 3.0.7 > >>>>>> Centos - 1.0.2k later upgraded to 3.0.0 > >>>>>> > >>>>>> Can you share what version of openssl should be used? If that makes > >>>>>> difference? > >>>>>> > >>>>> > >>>>> Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the > >> same > >>>>> warnings. > >>>>> Now the only difference is the os itself > >>>> > >>>> You are aware, that installing some version and using it are two > >>>> different things? Did you verify that freeradius is actually using > that > >>>> version? > >>>> > >>>> -Gerald > >>>> > >>> > >>> I've renamed the usr/bin/openssl to openssl.old and added the 1.0.2 > one to > >>> the $PATH, run openssl version command and it returned the 1.0.2k > version, > >>> I don't know what else could I do. > >>> > >>> Maciej > >>> > >>>> > >>> - > >>> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >