TLS failures in freeradius 3.0.12
We have been running 3.0.4 on CentOS, authenticating against openldap 2.3.43 on Centos 5. That seemed to work reliably, but we needed functionality only available in 3.0.11. I build 3.0.12 as an RPM on CentOS 6 using the 3.0.12 tarball from github and the 3.0.4 specfile as a template, so that the same directories and settings were used as for 3.0.4. We are using ldap on port 389 with start_tls The client certificate is loaded from a PEM file in /etc/raddb/certs/ The server certificate is loaded from the NSS database /etc/raddb/certs/cert8.db Initially after radiusd is started, authentication works properly. We see in debug output ... (1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ... rlm_ldap (ldap): Opening additional connection (6), 1 of 30 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389 TLS: certificate '/etc/raddb/certs/xxx' successfully loaded from moznss database. rlm_ldap (ldap): Bind successful ..(1) Sent Access-Accept Id 170 after running for a bit, with the same radius client request, we get TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use.. rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389 TLS: could not initialize moznss - error -8018:Unknown PKCS #11 error.. TLS: could not perform TLS system initialization. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle. rlm_ldap (ldap): Could not start TLS: Connect error ... (2) Sent Access-Reject Id 217 On the openldap server in debug mode, I get an error TLS trace: SSL3 alert read:warning:close notify ldap_read: want=8, got=0 Any ideas ? The openldap logs are somewhat cryptic -- Andrew Daviel, TRIUMF, Canada
Use openssl instead of moz nss BR, Anirudh Malhotra 8zero2 Mail: 8zero2.in@gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in On 14 Apr 2016, 08:51 +0530, Andrew Daviel<advax@triumf.ca>, wrote:
We have been running 3.0.4 on CentOS, authenticating against openldap 2.3.43 on Centos 5. That seemed to work reliably, but we needed functionality only available in 3.0.11.
I build 3.0.12 as an RPM on CentOS 6 using the 3.0.12 tarball from github and the 3.0.4 specfile as a template, so that the same directories and settings were used as for 3.0.4.
We are using ldap on port 389 with start_tls The client certificate is loaded from a PEM file in /etc/raddb/certs/ The server certificate is loaded from the NSS database /etc/raddb/certs/cert8.db
Initially after radiusd is started, authentication works properly. We see in debug output ... (1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ... rlm_ldap (ldap): Opening additional connection (6), 1 of 30 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389 TLS: certificate '/etc/raddb/certs/xxx' successfully loaded from moznss database. rlm_ldap (ldap): Bind successful ..(1) Sent Access-Accept Id 170
after running for a bit, with the same radius client request, we get
TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use.. rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389 TLS: could not initialize moznss - error -8018:Unknown PKCS #11 error.. TLS: could not perform TLS system initialization. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle. rlm_ldap (ldap): Could not start TLS: Connect error ... (2) Sent Access-Reject Id 217
On the openldap server in debug mode, I get an error TLS trace: SSL3 alert read:warning:close notify ldap_read: want=8, got=0
Any ideas ? The openldap logs are somewhat cryptic
-- Andrew Daviel, TRIUMF, Canada - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 13, 2016, at 11:21 PM, Andrew Daviel <advax@triumf.ca> wrote:
TLS: could not shutdown NSS - error -8053:NSS could not shutdown. Objects are still in use.. rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending slots used rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389 TLS: could not initialize moznss - error -8018:Unknown PKCS #11 error..
Don't mix moznss and OpenSSL. FreeRADIUS builds with OpenSSL, so use that. Alan DeKok.
On Thu, 14 Apr 2016, Alan DeKok wrote:
Don't mix moznss and OpenSSL. FreeRADIUS builds with OpenSSL, so use that.
I have read this advice before, and I don't doubt it's good. We have a CentOS environment and a configuration that works with 3.0.4, although I concede it's probably not optimal. We need a CentOS-based solution; I would really rather not be forced to rebuild forever going forward. Do you happen to know if it is possible to have RedHat's build of freeradius talk to RedHat's build of openldap uwing RedHat's build of openssl, just by using the correct configuration ? -- Andrew Daviel, TRIUMF, Canada
On Apr 14, 2016, at 6:25 PM, Andrew Daviel <advax@triumf.ca> wrote:
We need a CentOS-based solution; I would really rather not be forced to rebuild forever going forward.
Ask RedHat to build a version of FreeRADIUS which is a bit more recent.
Do you happen to know if it is possible to have RedHat's build of freeradius talk to RedHat's build of openldap uwing RedHat's build of openssl, just by using the correct configuration ?
No. The link information is in the libraries. They're built using the moznss code, not OpenSSL. Alan DeKok.
Just remove openldap client and rebuild ./configure --with-ssl=openssl --disable-slapd(if you do not want the server) BR, Anirudh Malhotra 8zero2 Mail: 8zero2.in@gmail.com Facebook: www.facebook.com/8zero2 Twitter: @8zero2_in Blog: blog.8zero2.in On 15 Apr 2016, 03:56 +0530, Andrew Daviel<advax@triumf.ca>, wrote:
On Thu, 14 Apr 2016, Alan DeKok wrote:
Don't mix moznss and OpenSSL. FreeRADIUS builds with OpenSSL, so use that.
I have read this advice before, and I don't doubt it's good.
We have a CentOS environment and a configuration that works with 3.0.4, although I concede it's probably not optimal.
We need a CentOS-based solution; I would really rather not be forced to rebuild forever going forward.
Do you happen to know if it is possible to have RedHat's build of freeradius talk to RedHat's build of openldap uwing RedHat's build of openssl, just by using the correct configuration ?
-- Andrew Daviel, TRIUMF, Canada - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
We have a CentOS environment and a configuration that works with 3.0.4, although I concede it's probably not optimal.
We need a CentOS-based solution; I would really rather not be forced to rebuild forever going forward.
I would suggest you raise a bug with Redhat as well. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
participants (4)
-
Alan DeKok -
Andrew Daviel -
Anirudh Malhotra -
Stefan Paetow