rlm_rest / SSL one way and server certificate check
Hello, I'm using rlm_rest module. I'm trying to have the client check the server certificate (SSL one way), using the following options: rest { tls { ca_file = <where I've put my CA file> check_cert = "yes" } } However I can't get this to work. Apparently the option set by FreeRADIUS (CURLOPT_ISSUERCERT) is ignored by Curl, which instead uses a "bundle of certificates" located in: /etc/pki/tls/certs/ca-bundle.crt I've put libcurl in verbose mode, which outputs the following: * Connected to 10.67.141.75 (10.67.141.75) port 8443 (#1) * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL certificate problem: unable to get local issuer certificate * Curl_http_done: called premature == 1 * Closing connection 1 This works if I change rlm_rest code, so that option CURLOPT_CAINFO is set instead of CURLOPT_ISSUERCERT. So... is it supposed to work with CURLOPT_ISSUERCERT ? if so what am I doing wrong ? Regards, Nicolas. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Mon, 2016-10-24 at 13:53 +0000, Chaigneau, Nicolas wrote:
So... is it supposed to work with CURLOPT_ISSUERCERT ? if so what am I doing wrong ?
Is this RHEL/CentOS? There's a good chance libcurl is linked against NSS, which may be the cause. -- Regards, Adam Bishop gpg: 0x6609D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
On Oct 24, 2016, at 10:03 AM, Adam Bishop <Adam.Bishop@jisc.ac.uk> wrote:
On Mon, 2016-10-24 at 13:53 +0000, Chaigneau, Nicolas wrote:
So... is it supposed to work with CURLOPT_ISSUERCERT ? if so what am I doing wrong ?
Is this RHEL/CentOS? There's a good chance libcurl is linked against NSS, which may be the cause.
That's likely it. Having two SSL libraries linked to the same application causes problems. RedHat has seen fit to *partially* port their OS to using NSS. But many applications still use OpenSSL. I'd be happy if RedHat either fixed their OS to work, or submitted patches to FreeRADIUS to allow it to link to NSS. But I don't think either thing is going to happen. Alan DeKok.
Yes, I'm on a RHEL. I'm not using the default libcurl, though, but a more recent version which I built myself. I didn't specify anything for NSS.
From libcurl configure output I see that OpenSSL is used:
#define HAVE_LIBSSL 1 #define HAVE_OPENSSL_X509_H 1 #define USE_OPENSSL 1 #define HAVE_OPENSSL_CRYPTO_H 1 (etc.) I also notice the "bundle" that libcurl sets as default: #define CURL_CA_BUNDLE "/etc/pki/tls/certs/ca-bundle.crt" -----Message d'origine----- De : Freeradius-Users [mailto:freeradius-users-bounces+nicolas.chaigneau=capgemini.com@lists.freeradius.org] De la part de Adam Bishop Envoyé : lundi 24 octobre 2016 16:04 À : freeradius-users@lists.freeradius.org Objet : Re: rlm_rest / SSL one way and server certificate check On Mon, 2016-10-24 at 13:53 +0000, Chaigneau, Nicolas wrote:
So... is it supposed to work with CURLOPT_ISSUERCERT ? if so what am I doing wrong ?
Is this RHEL/CentOS? There's a good chance libcurl is linked against NSS, which may be the cause. -- Regards, Adam Bishop gpg: 0x6609D460 jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Oct 24, 2016, at 9:53 AM, Chaigneau, Nicolas <nicolas.chaigneau@capgemini.com> wrote:
So... is it supposed to work with CURLOPT_ISSUERCERT ? if so what am I doing wrong ?
Remove the RH libcurl package. Compile libcurl manually, and have it link to OpenSSL. Then, re-build FreeRADIUS to use the local version of libcurl. It will then work. Alan DeKok.
On Oct 24, 2016, at 9:53 AM, Chaigneau, Nicolas <nicolas.chaigneau@capgemini.com> wrote:
So... is it supposed to work with CURLOPT_ISSUERCERT ? if so what am I doing wrong ?
Remove the RH libcurl package. Compile libcurl manually, and have it link to OpenSSL.
Well... that's what I've been doing :/ Maybe there are some options to curl configure, which are required so this works correctly on RHEL ? I've tried to add "--without-ca-bundle". Now the verbose output shows that libcurl does not use a CA bundle by default, but it still ignores CURLOPT_ISSUERCERT and fails to verify the server certificate...
Then, re-build FreeRADIUS to use the local version of libcurl. It will then work.
Alan DeKok.
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
On Oct 24, 2016, at 11:05 AM, Chaigneau, Nicolas <nicolas.chaigneau@capgemini.com> wrote:
Maybe there are some options to curl configure, which are required so this works correctly on RHEL ?
Maybe. RH gives me a headache, tho. It reminds me of Solaris, TBH.
I've tried to add "--without-ca-bundle". Now the verbose output shows that libcurl does not use a CA bundle by default, but it still ignores CURLOPT_ISSUERCERT and fails to verify the server certificate...
Some things are still magic to me, unfortunately. Alan DeKok.
participants (3)
-
Adam Bishop -
Alan DeKok -
Chaigneau, Nicolas