RE: Error starting radiusd when specifying private_key_password (OPEN)
Hi Alan and thanks for your response.
-----Original Message----- From: Freeradius-Users <freeradius-users- bounces+per.weisteen=telenor.com@lists.freeradius.org> On Behalf Of Alan DeKok Sent: 21. august 2020 17:30 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Error starting radiusd when specifying private_key_password (INTERNAL)
On Aug 21, 2020, at 10:06 AM, Per.Weisteen@telenor.com wrote:
I've installed FreeRADIUS 3.0.13 on CentOS 7 and generated my own set of CA, intermediate and server certificates using openssl version 1.0.2k-fips. Certificates etc is generated using https://jamielinux.com/docs/openssl-certificate-authority/ modified with info from https://devcentral.f5.com/s/articles/building-an-openssl-certificate-a uthority-introduction-and-design-considerations-for-elliptical-curves- 27720
That should be fine.
I've configured mods-enabled/eap using a private_key_password with a
length of 20 characters.
Starting in debug mode I get error messages :
tls: Failed reading private key file "/etc/raddb/certs/oslo-radius01v4- test.nsc.no.pem" tls: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt tls: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error tls: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error tls: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib tls: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib rlm_eap_tls: Failed initializing SSL context rlm_eap (EAP): Failed to initialise rlm_eap_tls /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"
Weird. There is no limit on the length of the private_key_password.
Are there special characters in it? You might need to quote the password, and escape things. i.e. instead of:
private_key_password = abcd'def
do
private_key_password = "abc'def"
No special characters, just upper/lower case and numbers. Tried with quotes though but that didn't work any better. Could I increase debug level and get some more details on the error ?
If I comment out the private_key_password statement I'm prompted for the password instead :
Enter PEM pass phrase:
Using the same password as specified in private_key_password the startup seems to start ok.
Any suggestions ?
We just read the password from the configuration file and pass it to OpenSSL. There's very little processing done by us.
Alan DeKok.
Per Weisteen
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 23, 2020, at 3:49 PM, Per.Weisteen@telenor.com wrote:
No special characters, just upper/lower case and numbers. Tried with quotes though but that didn't work any better.
That's not good.
Could I increase debug level and get some more details on the error ?
Not really. We just take the password from the configuration file, and pass it directly to OpenSSL. There's really very little which can go wrong here. Alan DeKok.
participants (2)
-
Alan DeKok -
Per.Weisteen@telenor.com