10 Aug
2023
10 Aug
'23
4:31 a.m.
Can anyone po it me to where from is the openssl command and files passed from freeradius to openssl when it does it's verification, maybe the it's using wrong syntax or the files are not passed correctly so the openssl doesn't acknowledge their existence. Maciej wt., 8 sie 2023, 13:42 użytkownik Maciej Kowalka <maciejkowalkati@gmail.com> napisał: > It returned libssl.so.3 so I assume it still uses the original openssl. > That's unfortunate. Any other ideas what to check/change? > > Maciej > > wt., 8 sie 2023, 13:22 użytkownik Coy Hile <coy.hile@coyhile.com> napisał: > >> Try ldd on the binary? To use a nonstandard path for those libraries may >> require option passed to configure >> >> -c >> >> Sent from my iPhone >> >> > On Aug 8, 2023, at 07:09, Maciej Kowalka <maciejkowalkati@gmail.com> >> wrote: >> > >> > You might be right, the openssl I installed might not be used by >> > freeradius, I'm not a Linux expert neither a freeradius expert, I'm just >> > trying diffent stuff to make it work, currently without success. So if >> > that's the case wold the openssl be broken in 3 versions 3.0.9 3.0.7 and >> > 3.0.2? That are downloaded with freeradius? Or how do I check the >> version >> > of openssl used by freeradius? >> > >> > >> > wt., 8 sie 2023, 12:46 użytkownik marki <jm+freeradiususer@roth.lu> >> napisał: >> > >> >> I admit I didn't read the entire history of this thread but running >> >> openssl via the command line vs using an application (here: freeradius) >> >> (dynamically) linked against the openssl *libraries* is something very >> >> different. >> >> >> >>> On August 8, 2023 12:39:00 PM GMT+02:00, Maciej Kowalka < >> >>> maciejkowalkati@gmail.com> wrote: >> >>> wt., 8 sie 2023, 12:26 użytkownik Gerald Vogt <vogt@spamcop.net> >> napisał: >> >>> >> >>>> On 08.08.23 11:27, Maciej Kowalka wrote: >> >>>>> wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka < >> >>>> maciejkowalkati@gmail.com> >> >>>>> napisał: >> >>>>> >> >>>>>> wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt@spamcop.net> >> >>>> napisał: >> >>>>>> >> >>>>>>> On 08.08.23 07:32, Maciej Kowalka wrote: >> >>>>>>>> pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka < >> >>>>>>> maciejkowalkati@gmail.com> >> >>>>>>>> napisał: >> >>>>>>>> >> >>>>>>>>> >> >>>>>>>>> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok < >> >>>>>>> aland@deployingradius.com> >> >>>>>>>>> napisał: >> >>>>>>>>> >> >>>>>>>>>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka < >> >>>> maciejkowalkati@gmail.com >> >>>>>>>> >> >>>>>>>>>> wrote: >> >>>>>>>>>>> Ok, to check if my certificates are not ok I've tried the >> >>>>>>> certificates >> >>>>>>>>>> that >> >>>>>>>>>>> are created during installation of freeradius and I get the >> same >> >>>>>>> warning >> >>>>>>>>>>> about the untrusted certs. >> >>>>>>>>>> >> >>>>>>>>>> Then something else is going wrong. The default >> >> configuration >> >>>> and >> >>>>>>>>>> certificates do not use any intermediate certs. And the server >> >> is >> >>>>>>>>>> configured to trust the certs. >> >>>>>>>>>> >> >>>>>>>>>>> Are they supposed to work correctly, without any problems? >> >>>>>>>>>>> Or it might be a openssl bug? When I use openssl command to >> >> check >> >>>>>>>>>>> certificates I get no errors, all are verified "ok". >> >>>>>>>>>> >> >>>>>>>>>> Something is broken in your local system. I don't know >> what. >> >>>>>>>>>> >> >>>>>>>>>> For now, just ignore the errors. >> >>>>>>>>>> >> >>>>>>>>>> Alan DeKok. >> >>>>>>>>>> >> >>>>>>>>> >> >>>>>>>>> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 >> and I >> >>>> get >> >>>>>>> the >> >>>>>>>>> same warning as on current machine. >> >>>>>>>>> >> >>>>>>>>> I also installed freeradous 3.0 on a centos 7 but on it I don't >> >> get >> >>>> eny >> >>>>>>>>> warning, even with mine intermediate CA certs. >> >>>>>>>>> So I think it might be something with the OS or the radius >> itself. >> >>>> I'll >> >>>>>>>>> try running freeradius 3.0 on Ubuntu to check if has the same >> >> result. >> >>>>>>>>> >> >>>>>>>> >> >>>>>>>> To summarize, I've tested 4 different Linux systems and >> freeradius >> >>>>>>>> configurations for eap-tls: >> >>>>>>>> >> >>>>>>>> - Debian 12 and freeradius 3.2.3 default configuration and >> default >> >>>> certs >> >>>>>>>> gives warnings, >> >>>>>>>> >> >>>>>>>> - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both >> >> with >> >>>>>>> stock >> >>>>>>>> configuration and certs also gives warnings, >> >>>>>>>> >> >>>>>>>> - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either >> >> default >> >>>>>>> certs >> >>>>>>>> or my certs works without warnings, >> >>>>>>>> >> >>>>>>>> - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings. >> >>>>>>>> >> >>>>>>>> Only on centos 7 I don't get the certificate chain untrusted >> >> warning. >> >>>>>>>> All the systems are freshly installed with just changed default >> >>>>>>>> authentication to eap and added switch to clients. >> >>>>>>>> >> >>>>>>>> Is the package for Centos in any special way different than the >> >> rest? >> >>>>>>> >> >>>>>>> Each operating system uses a different version of openssl... >> >>>>>>> >> >>>>>>> Gerald >> >>>>>>> >> >>>>>> >> >>>>>> They do use different openssl version, >> >>>>>> Debian - 3.0.9 >> >>>>>> Ubuntu - 3.0.2 >> >>>>>> Rocky - 3.0.7 >> >>>>>> Centos - 1.0.2k later upgraded to 3.0.0 >> >>>>>> >> >>>>>> Can you share what version of openssl should be used? If that makes >> >>>>>> difference? >> >>>>>> >> >>>>> >> >>>>> Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the >> >> same >> >>>>> warnings. >> >>>>> Now the only difference is the os itself >> >>>> >> >>>> You are aware, that installing some version and using it are two >> >>>> different things? Did you verify that freeradius is actually using >> that >> >>>> version? >> >>>> >> >>>> -Gerald >> >>>> >> >>> >> >>> I've renamed the usr/bin/openssl to openssl.old and added the 1.0.2 >> one to >> >>> the $PATH, run openssl version command and it returned the 1.0.2k >> version, >> >>> I don't know what else could I do. >> >>> >> >>> Maciej >> >>> >> >>>> >> >>> - >> >>> List info/subscribe/unsubscribe? See >> >> http://www.freeradius.org/list/users.html >> >> - >> >> List info/subscribe/unsubscribe? See >> >> http://www.freeradius.org/list/users.html >> >> >> > - >> > List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >