Hi, I had a specific problem running freeradius 2.2.5/2.2.6 in OpenBSD. rlm_eap_tls: Couldn't set ephemeral RSA key rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" After playing around with the source I've managed to make it work by doing: --- ./src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c Tue Nov 18 21:56:52 2014 +++ /root/rlm_eap_tls.c Wed Dec 31 10:55:43 2014 @@ -203,10 +203,16 @@ RSA *rsa; rsa = RSA_generate_key(512, RSA_F4, NULL, NULL); - - if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) { - radlog(L_ERR, "rlm_eap_tls: Couldn't set ephemeral RSA key"); + if (rsa == NULL) { + radlog(L_ERR, "rlm_eap_tls: Couldn't generate RSA key"); return -1; + } + + if (SSL_CTX_need_tmp_RSA(ctx)) { + if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) { + radlog(L_ERR, "rlm_eap_tls: Couldn't set ephemeral RSA key"); + return -1; + } } RSA_free(rsa); Maybe a check for SSL_CTX_need_tmp_RSA should be added before calling SSL_CTX_set_tmp_rsa? You can also read the relevant thread in OpenBSD mailing list here http://marc.info/?l=openbsd-misc&m=141996016020120&w=2 thanks for any comments on this, Giannis -------- Forwarded Message -------- Subject: Re: freeradius problem - ephemeral RSA key generation Date: Wed, 31 Dec 2014 10:39:17 +0200 To: misc@openbsd.org On 31/12/14 04:37, Joel Sing wrote:
On Wednesday 31 December 2014, Kapetanakis Giannis wrote:
Hi,
After upgrading to latest snapshot I have problems with freeradius 2.2.5 package not starting.
Especially the problem occurs in loading of module eap-tls
rlm_eap_tls: Couldn't set ephemeral RSA key rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
I've tried installing version 2.2.6 but I have the same problem.
The program fails at: src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
/* * Generate ephemeral RSA keys. */ static int generate_eph_rsa_key(SSL_CTX *ctx) { RSA *rsa;
rsa = RSA_generate_key(512, RSA_F4, NULL, NULL);
if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) { radlog(L_ERR, "rlm_eap_tls: Couldn't set ephemeral RSA key"); return -1; }
RSA_free(rsa); return 0; }
is this related to freeradius or something with OpenBSD ssl libraries? Support for ephemeral RSA keys was removed from LibreSSL, since it should only be needed for export ciphers (no longer supported) or otherwise violating RFCs (as at first glance FreeRADIUS appears to do above).
Since you're already looking at the code, does it set SSL_OP_EPHEMERAL_RSA anywhere? If not, the above function is probably a noop. At the very least it is likely buggy since they are supposed to call SSL_CTX_need_tmp_RSA() to see if the temporary RSA key should be set, before calling SSL_CTX_set_tmp_rsa().
Well I've already made it working last night by adding a check for SSL_CTX_need_tmp_RSA before calling SSL_CTX_set_tmp_rsa So if I get it right, since I'm using HIGH ciphersuite I will never need an ephemeral RSA key correct? Is there a case were that SSL_CTX_need_tmp_RSA() will be true? SSL_OP_EPHEMERAL_RSA is not defined anywhere. G