Hi, I have freeradius server ( ver. 2.1.10 ) compiled with openssl-0.9.8l. Now by method given in raddb/certs I created the certificates on a machine having OpenSSL 1.0.0e. After loading ca.pem,server.pem & private.pem ( which is copy of server.pem ) certificates under raddb/certs and then starting the radius server I got this error just after eap module. Is this due to different openssl versions? Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/private.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/raddb/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } verify { } } rlm_eap: SSL error error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm rlm_eap_tls: Error reading private key file /etc/raddb/certs/private.pem rlm_eap: Failed to initialize type tls /etc/raddb/eap.conf[17]: Instantiation failed for module "eap" /etc/raddb/sites-enabled/inner-tunnel[236]: Failed to load module "eap". /etc/raddb/sites-enabled/inner-tunnel[189]: Errors parsing authenticate section. Thanks & Regards, Prateek
On Mon, Oct 22, 2012 at 9:32 PM, Prateek Kumar <er.prateek87@gmail.com> wrote:
Hi, I have freeradius server ( ver. 2.1.10 ) compiled with openssl-0.9.8l. Now by method given in raddb/certs I created the certificates on a machine having OpenSSL 1.0.0e.
After loading ca.pem,server.pem & private.pem ( which is copy of server.pem ) certificates under raddb/certs and then starting the radius server I got this error just after eap module. Is this due to different openssl versions?
Most likely so. -- Fajar
Hi,
I have freeradius server ( ver. 2.1.10 ) compiled with openssl-0.9.8l. Now by method given in raddb/certs I created the certificates on a machine having OpenSSL 1.0.0e.
new OpenSSL and old OpenSSL may have issues with things like this - depending on the settings of that new openSSL (ie if it has new features enabled or the older version hd things disabled
rlm_eap: SSL error error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm
google for that error - likely to be that the PBE on 1.0.0 is some method that your old 0.9.8 doesnt work with alan
So I have to compile freeradius with new openssl version else use old openssl for creating certificates. Also will I have to change random & dh file every time I change the server.pem & ca.pem. Thanks for your inputs. Regards, Prateek
On 10/22/2012 10:32 AM, Prateek Kumar wrote:
rlm_eap: SSL error error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm rlm_eap_tls: Error reading private key file /etc/raddb/certs/private.pem
Just in case it helps to understand what the error message is attempting to say. The private key is held in a pkcs12 file. The private key is protected by Password Based Encryption (hence pbe). That means given a password a specific algorithm is used to encrypt the private key for protection purposes. OpenSSL is complaining the PBE algorithm is not supported. I'm guessing a new OpenSSL version has deprecated the use of an insecure method that your older p12 file used. You need to generate a new p12 file. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
participants (4)
-
alan buxey -
Fajar A. Nugraha -
John Dennis -
Prateek Kumar