Hi, I met below error when run "/usr/sbin/radiusd -C -X", Could someone experts at this help to give me some hint what configuration maybe wrong? Thanks # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no tls_max_version = "" tls_min_version = "1.0" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } tls: Failed reading private key file "/etc/raddb/certs/server.pem" tls: error:0607606B:digital envelope routines:PKCS5_v2_PBE_keyivgen:unsupported cipher tls: error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure tls: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error tls: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error tls: error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib tls: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib rlm_eap_tls: Failed initializing SSL context rlm_eap (EAP): Failed to initialise rlm_eap_tls /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"
On Dec 25, 2019, at 4:38 AM, Changqing Li <changqing.li@windriver.com> wrote:
I met below error when run "/usr/sbin/radiusd -C -X", Could someone experts at this help to
give me some hint what configuration maybe wrong? Thanks
The message isn't perfect, but it's clear:
tls: Failed reading private key file "/etc/raddb/certs/server.pem" tls: error:0607606B:digital envelope routines:PKCS5_v2_PBE_keyivgen:unsupported cipher
The private key in the "server.pem" file is encrypted with an unsupported cipher. OpenSSL supports many ciphers, but not every possible one. Where did you get this key from? What tools created it? It's clearly not created by the tools that come with FreeRADIUS. Use the built-in tools. They work. Alan DeKok.
Hi , It's not like that other tools are used openssl is the most enriched and hardly miss any available cipher suite. The issue with your configuration is clear from the confirmation itself private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" You have used server.pem as certificate as well as private key . It seems to be certificate file so doesn't contain private key this is the reason of non readability of private key On Wed, Dec 25, 2019, 8:18 PM Alan DeKok <aland@deployingradius.com> wrote:
On Dec 25, 2019, at 4:38 AM, Changqing Li <changqing.li@windriver.com> wrote:
I met below error when run "/usr/sbin/radiusd -C -X", Could someone experts at this help to
give me some hint what configuration maybe wrong? Thanks
The message isn't perfect, but it's clear:
tls: Failed reading private key file "/etc/raddb/certs/server.pem" tls: error:0607606B:digital envelope routines:PKCS5_v2_PBE_keyivgen:unsupported cipher
The private key in the "server.pem" file is encrypted with an unsupported cipher.
OpenSSL supports many ciphers, but not every possible one.
Where did you get this key from? What tools created it? It's clearly not created by the tools that come with FreeRADIUS.
Use the built-in tools. They work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, Thanks to Alan and arjun's kind help. Now I found the reason, I am doing cross-compile, my openssl on target disable des, so missing pkcs12. while the server.pem is generated on host with pkcs12. On 12/26/19 1:03 AM, arjun sharma wrote: > Hi , > > It's not like that other tools are used openssl is the most enriched and > hardly miss any available cipher suite. > > The issue with your configuration is clear from the confirmation itself > private_key_file = "/etc/raddb/certs/server.pem" > certificate_file = "/etc/raddb/certs/server.pem" > > You have used server.pem as certificate as well as private key . It seems > to be certificate file so doesn't contain private key this is the reason of > non readability of private key > > On Wed, Dec 25, 2019, 8:18 PM Alan DeKok <aland@deployingradius.com> wrote: > >> On Dec 25, 2019, at 4:38 AM, Changqing Li <changqing.li@windriver.com> >> wrote: >>> I met below error when run "/usr/sbin/radiusd -C -X", Could someone >> experts at this help to >>> give me some hint what configuration maybe wrong? Thanks >> The message isn't perfect, but it's clear: >> >>> tls: Failed reading private key file "/etc/raddb/certs/server.pem" >>> tls: error:0607606B:digital envelope >> routines:PKCS5_v2_PBE_keyivgen:unsupported cipher >> >> The private key in the "server.pem" file is encrypted with an >> unsupported cipher. >> >> OpenSSL supports many ciphers, but not every possible one. >> >> Where did you get this key from? What tools created it? It's clearly >> not created by the tools that come with FreeRADIUS. >> >> Use the built-in tools. They work. >> >> Alan DeKok. >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
arjun sharma -
Changqing Li