Freeradius TLS - SSL context error
Hi, When I try to enable tls in the sites-enabled, see below error on 'radiusd debug -X' Failed creating SSL context: error:140A90A1:lib(20):func(169):reason(161) [root@server raddb]# openssl errstr 0x140A90A1 error:140A90A1:SSL routines:SSL_CTX_new:library has no ciphers [root@server raddb]# Here is the tls configuration i have: tls { rsa_key_exchange = yes dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = KeyFile certificate_file = CertFile ca_file = CAFile fragment_size = 8192 include_length = yes check_crl = no cipher_list = "AES128-SHA:AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256" ecdh_curve = "prime256v1" } Could anybody share any light on this ? Ciphers are set as can be seen above. I could not find whats missing, causing this SSL error. Thanks in advance. Regards, Murugesh P. Complete log: [root@server231 raddb]# radiusd debug -fxx -l stdout radiusd: FreeRADIUS Version 3.0.3, for host i686-redhat-linux-gnu, built on Jun 3 2014 at 12:38:34 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/sql including configuration file /etc/raddb/mods-config/sql/main/mysql/queries.conf including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/utf8 including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/mschap including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/operator-name including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/cui including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/tls including configuration file /etc/raddb/sites-enabled/inner-tunnel main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = "CVE-2014-0160" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server tls { ipaddr = 127.0.0.1 port = 2083 type = "auth" proto = "tcp" secret = <<< secret >>> response_window = 30 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 revive_interval = 300 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } tls { rsa_key_exchange = yes dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = KeyFile certificate_file = CertFile ca_file = CAFile fragment_size = 8192 include_length = yes check_crl = no cipher_list = "AES128-SHA:AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256" ecdh_curve = "prime256v1" } Failed creating SSL context: error:140A90A1:lib(20):func(169):reason(161) [root@server raddb]#
On Oct 22, 2020, at 7:55 AM, murugesh pitchaiah <murugesh.pitchaiah@gmail.com> wrote:
[root@server231 raddb]# radiusd debug -fxx -l stdout radiusd: FreeRADIUS Version 3.0.3, for host i686-redhat-linux-gnu,
Upgrade. There is no reason to be running a version of the server which is 6+ years old. You've installed a newer version of OpenSSL on the system, which has API changes. Use a recent version of FreeRADIUS, which is compatible with newer versions of OpenSSL. Alan DeKok.
participants (2)
-
Alan DeKok -
murugesh pitchaiah