Hi, I've got configures freeradius 3.2 with eap tls, and working certificates, users can be authorized to network but I get warnings every time : Certificate chain - 1 cert(s) untrusted (TLS) untrusted certificate with depth [1] subject name /C=PL/ST=MyState/O=MyOrg/CN=Intermediate CA (TLS) untrusted certificate with depth [0] subject name /C=PL/ST=MyState/O=MyOrg/CN=client Is there solution to this or so I have to ignore it, and live with it? Maciej
On Jul 31, 2023, at 2:30 AM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
Hi, I've got configures freeradius 3.2 with eap tls, and working certificates, users can be authorized to network but I get warnings every time :
If it works...
Certificate chain - 1 cert(s) untrusted
(TLS) untrusted certificate with depth [1] subject name /C=PL/ST=MyState/O=MyOrg/CN=Intermediate CA
(TLS) untrusted certificate with depth [0] subject name /C=PL/ST=MyState/O=MyOrg/CN=client
Is there solution to this or so I have to ignore it, and live with it?
Configure the server so that it knows about the certificates. That way they will be trusted. See mods-available/eap. Look for "reject_unknown_intermediate_ca" Alan DeKok.
pon., 31 lip 2023, 16:34 użytkownik Alan DeKok <aland@deployingradius.com> napisał:
On Jul 31, 2023, at 2:30 AM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
Hi, I've got configures freeradius 3.2 with eap tls, and working certificates, users can be authorized to network but I get warnings every time :
If it works...
don't touch it....
Certificate chain - 1 cert(s) untrusted
(TLS) untrusted certificate with depth [1] subject name /C=PL/ST=MyState/O=MyOrg/CN=Intermediate CA
(TLS) untrusted certificate with depth [0] subject name /C=PL/ST=MyState/O=MyOrg/CN=client
Is there solution to this or so I have to ignore it, and live with it?
Configure the server so that it knows about the certificates. That way they will be trusted.
See mods-available/eap. Look for "reject_unknown_intermediate_ca"
Alan DeKok.
I tried but probably didn't do it right, can you point to how exactly to do it? The things I tried: - adding intermediate-ca.pem to certificate folder - concatenate Intermediate-ca.pem and ca.pem together - adding Intermediate-ca.pem to server.pem certificate - changing the config ca_file to point to the Intermediate-ca.pem None of these things worked, so I would appreciate writing what I need to configure. Preferably with an example :) Maciej
On Aug 1, 2023, at 12:46 AM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
I tried but probably didn't do it right, can you point to how exactly to do it?
Follow the documentation on how to: a) put certificates into the folder (and rehash as necessary) b) put the certificates into one file in order What may be happening is that you don't have the intermediate certificate. i.e. only the end-user device has them. So perhaps double-check that. Alan DeKok.
wt., 1 sie 2023 o 16:52 Alan DeKok <aland@deployingradius.com> napisał(a):
On Aug 1, 2023, at 12:46 AM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
I tried but probably didn't do it right, can you point to how exactly to do it?
Follow the documentation on how to:
Can you point me where it is mentioned in documentation as I can’t seem to find it.
a) put certificates into the folder (and rehash as necessary)
So I have both intermediate-ca.pem and ca.pem in the folder, do I need to c_rehash it?(in eap file rehash is mentioned only for CA and CRL)
b) put the certificates into one file in order
Do you mean like “cat intermediate-ca.pem ca.pem > int-ca_ca.pem”?
What may be happening is that you don't have the intermediate certificate. i.e. only the end-user device has them. So perhaps double-check that.
I do have the intermediate-ca.pem in the same folder as ca.pem, but don't know if I need to add something in the eap config file to let freeradius know it. Appreciate your help , Maciej
On Aug 2, 2023, at 3:18 AM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
a) put certificates into the folder (and rehash as necessary)
So I have both intermediate-ca.pem and ca.pem in the folder, do I need to c_rehash it?(in eap file rehash is mentioned only for CA and CRL)
An intermediate CA is still a CA. You still need to run c_rehash.
b) put the certificates into one file in order
Do you mean like “cat intermediate-ca.pem ca.pem > int-ca_ca.pem”?
See mods-available/eap, "certificate_file". It has lots of comments.
What may be happening is that you don't have the intermediate certificate. i.e. only the end-user device has them. So perhaps double-check that.
I do have the intermediate-ca.pem in the same folder as ca.pem, but don't know if I need to add something in the eap config file to let freeradius know it.
An intermediate CA is still a CA. All CAs go into "ca_path". Alan DeKok.
śr., 2 sie 2023 o 14:27 Alan DeKok <aland@deployingradius.com> napisał(a):
On Aug 2, 2023, at 3:18 AM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
a) put certificates into the folder (and rehash as necessary)
So I have both intermediate-ca.pem and ca.pem in the folder, do I need to c_rehash it?(in eap file rehash is mentioned only for CA and CRL)
An intermediate CA is still a CA. You still need to run c_rehash.
b) put the certificates into one file in order
Do you mean like “cat intermediate-ca.pem ca.pem > int-ca_ca.pem”?
See mods-available/eap, "certificate_file". It has lots of comments.
What may be happening is that you don't have the intermediate certificate. i.e. only the end-user device has them. So perhaps double-check that.
I do have the intermediate-ca.pem in the same folder as ca.pem, but don't know if I need to add something in the eap config file to let freeradius know it.
An intermediate CA is still a CA. All CAs go into "ca_path".
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
In the config: Ca_file points to ca.pem Ca_path points to folder containing both ca.pem and intermediate.pem # When using "ca_file" or "ca_path", the # "certificate_file" should contain only # "server.pem". And then you may (or may not) need # to set "auto_chain", depending on your version of # OpenSSL. Certificate_file points to server.pem Auto_chain is set to “yes” SSL version is 3.0.9 Done c_rehash for the folder with certs, freeradius restarted, but in debug I still see the same warnings: Warning: Certificate chain - 1 cert(s) untrusted Warning: (TLS) untrusted certificate with depth [1] subject name /C=PL/ST=MyState/O=MyOrg/CN=Intermediate CA Warning: (TLS) untrusted certificate with depth [0] subject name /C=PL/ST=MyState/O=MyOrg/CN=client
On Aug 2, 2023, at 9:07 AM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
In the config:
Ca_file points to ca.pem Ca_path points to folder containing both ca.pem and intermediate.pem
That should be fine.
Auto_chain is set to “yes”
That might be OK. It's OpenSSL... it's hard to say.
Done c_rehash for the folder with certs, freeradius restarted, but in debug I still see the same warnings:
Warning: Certificate chain - 1 cert(s) untrusted Warning: (TLS) untrusted certificate with depth [1] subject name /C=PL/ST=MyState/O=MyOrg/CN=Intermediate CA Warning: (TLS) untrusted certificate with depth [0] subject name /C=PL/ST=MyState/O=MyOrg/CN=client
Either that's a different certificate than what is in the ca_path directory, or there's some OpenSSL magic going on. i.e. FreeRADIUS uses OpenSSL for certificate handling. If OpenSSL is complaining about certificates, there's really not a lot we can do. Alan DeKok.
śr., 2 sie 2023, 17:48 użytkownik Alan DeKok <aland@deployingradius.com> napisał:
On Aug 2, 2023, at 9:07 AM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
In the config:
Ca_file points to ca.pem Ca_path points to folder containing both ca.pem and intermediate.pem
That should be fine.
Auto_chain is set to “yes”
That might be OK. It's OpenSSL... it's hard to say.
Done c_rehash for the folder with certs, freeradius restarted, but in debug I still see the same warnings:
Warning: Certificate chain - 1 cert(s) untrusted Warning: (TLS) untrusted certificate with depth [1] subject name /C=PL/ST=MyState/O=MyOrg/CN=Intermediate CA Warning: (TLS) untrusted certificate with depth [0] subject name /C=PL/ST=MyState/O=MyOrg/CN=client
Either that's a different certificate than what is in the ca_path directory, or there's some OpenSSL magic going on.
i.e. FreeRADIUS uses OpenSSL for certificate handling. If OpenSSL is complaining about certificates, there's really not a lot we can do.
Alan DeKok.
Would you be able to awnser me if the warning I'm now getting is correct : I now have only client certificate in windows and now I get only Warning: Certificate chain - 1 cert(s) untrusted Warning: (TLS) untrusted certificate with depth [0] subject name /C=PL/ST=MyState/O=MyOrg/CN=client So now the client pc sends only it's own certificate, but is authenticated by radius Maciej
On Aug 3, 2023, at 10:12 AM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
Would you be able to awnser me if the warning I'm now getting is correct : I now have only client certificate in windows and now I get only Warning: Certificate chain - 1 cert(s) untrusted Warning: (TLS) untrusted certificate with depth [0] subject name /C=PL/ST=MyState/O=MyOrg/CN=client So now the client pc sends only it's own certificate, but is authenticated by radius
The warning is produced by OpenSSL. So it's "correct" in that OpenSSL does not know or trust that certificate. You will continue to see the messages until the certificates are configured correctly. Alan DeKok.
czw., 3 sie 2023, 16:53 użytkownik Alan DeKok <aland@deployingradius.com> napisał:
On Aug 3, 2023, at 10:12 AM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
Would you be able to awnser me if the warning I'm now getting is correct : I now have only client certificate in windows and now I get only Warning: Certificate chain - 1 cert(s) untrusted Warning: (TLS) untrusted certificate with depth [0] subject name /C=PL/ST=MyState/O=MyOrg/CN=client So now the client pc sends only it's own certificate, but is authenticated by radius
The warning is produced by OpenSSL. So it's "correct" in that OpenSSL does not know or trust that certificate.
You will continue to see the messages until the certificates are configured correctly.
Alan DeKok.
Ok, to check if my certificates are not ok I've tried the certificates that are created during installation of freeradius and I get the same warning about the untrusted certs. Are they supposed to work correctly, without any problems? Or it might be a openssl bug? When I use openssl command to check certificates I get no errors, all are verified "ok". Maciej
On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
Ok, to check if my certificates are not ok I've tried the certificates that are created during installation of freeradius and I get the same warning about the untrusted certs.
Then something else is going wrong. The default configuration and certificates do not use any intermediate certs. And the server is configured to trust the certs.
Are they supposed to work correctly, without any problems? Or it might be a openssl bug? When I use openssl command to check certificates I get no errors, all are verified "ok".
Something is broken in your local system. I don't know what. For now, just ignore the errors. Alan DeKok.
czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <aland@deployingradius.com> napisał:
On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
Ok, to check if my certificates are not ok I've tried the certificates that are created during installation of freeradius and I get the same warning about the untrusted certs.
Then something else is going wrong. The default configuration and certificates do not use any intermediate certs. And the server is configured to trust the certs.
Are they supposed to work correctly, without any problems? Or it might be a openssl bug? When I use openssl command to check certificates I get no errors, all are verified "ok".
Something is broken in your local system. I don't know what.
For now, just ignore the errors.
Alan DeKok.
I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I get the same warning as on current machine. I also installed freeradous 3.0 on a centos 7 but on it I don't get eny warning, even with mine intermediate CA certs. So I think it might be something with the OS or the radius itself. I'll try running freeradius 3.0 on Ubuntu to check if has the same result. Maciej
pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka <maciejkowalkati@gmail.com> napisał:
czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <aland@deployingradius.com> napisał:
On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
Ok, to check if my certificates are not ok I've tried the certificates that are created during installation of freeradius and I get the same warning about the untrusted certs.
Then something else is going wrong. The default configuration and certificates do not use any intermediate certs. And the server is configured to trust the certs.
Are they supposed to work correctly, without any problems? Or it might be a openssl bug? When I use openssl command to check certificates I get no errors, all are verified "ok".
Something is broken in your local system. I don't know what.
For now, just ignore the errors.
Alan DeKok.
I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I get the same warning as on current machine.
I also installed freeradous 3.0 on a centos 7 but on it I don't get eny warning, even with mine intermediate CA certs. So I think it might be something with the OS or the radius itself. I'll try running freeradius 3.0 on Ubuntu to check if has the same result.
To summarize, I've tested 4 different Linux systems and freeradius configurations for eap-tls: - Debian 12 and freeradius 3.2.3 default configuration and default certs gives warnings, - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with stock configuration and certs also gives warnings, - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default certs or my certs works without warnings, - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings. Only on centos 7 I don't get the certificate chain untrusted warning. All the systems are freshly installed with just changed default authentication to eap and added switch to clients. Is the package for Centos in any special way different than the rest? Maciej
On 08.08.23 07:32, Maciej Kowalka wrote:
pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka <maciejkowalkati@gmail.com> napisał:
czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <aland@deployingradius.com> napisał:
On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
Ok, to check if my certificates are not ok I've tried the certificates that are created during installation of freeradius and I get the same warning about the untrusted certs.
Then something else is going wrong. The default configuration and certificates do not use any intermediate certs. And the server is configured to trust the certs.
Are they supposed to work correctly, without any problems? Or it might be a openssl bug? When I use openssl command to check certificates I get no errors, all are verified "ok".
Something is broken in your local system. I don't know what.
For now, just ignore the errors.
Alan DeKok.
I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I get the same warning as on current machine.
I also installed freeradous 3.0 on a centos 7 but on it I don't get eny warning, even with mine intermediate CA certs. So I think it might be something with the OS or the radius itself. I'll try running freeradius 3.0 on Ubuntu to check if has the same result.
To summarize, I've tested 4 different Linux systems and freeradius configurations for eap-tls:
- Debian 12 and freeradius 3.2.3 default configuration and default certs gives warnings,
- Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with stock configuration and certs also gives warnings,
- Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default certs or my certs works without warnings,
- Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
Only on centos 7 I don't get the certificate chain untrusted warning. All the systems are freshly installed with just changed default authentication to eap and added switch to clients.
Is the package for Centos in any special way different than the rest?
Each operating system uses a different version of openssl... Gerald
wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt@spamcop.net> napisał:
On 08.08.23 07:32, Maciej Kowalka wrote:
pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka < maciejkowalkati@gmail.com> napisał:
czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <
aland@deployingradius.com>
napisał:
On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
Ok, to check if my certificates are not ok I've tried the certificates that are created during installation of freeradius and I get the same warning about the untrusted certs.
Then something else is going wrong. The default configuration and certificates do not use any intermediate certs. And the server is configured to trust the certs.
Are they supposed to work correctly, without any problems? Or it might be a openssl bug? When I use openssl command to check certificates I get no errors, all are verified "ok".
Something is broken in your local system. I don't know what.
For now, just ignore the errors.
Alan DeKok.
I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I get the same warning as on current machine.
I also installed freeradous 3.0 on a centos 7 but on it I don't get eny warning, even with mine intermediate CA certs. So I think it might be something with the OS or the radius itself. I'll try running freeradius 3.0 on Ubuntu to check if has the same result.
To summarize, I've tested 4 different Linux systems and freeradius configurations for eap-tls:
- Debian 12 and freeradius 3.2.3 default configuration and default certs gives warnings,
- Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with stock configuration and certs also gives warnings,
- Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default certs or my certs works without warnings,
- Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
Only on centos 7 I don't get the certificate chain untrusted warning. All the systems are freshly installed with just changed default authentication to eap and added switch to clients.
Is the package for Centos in any special way different than the rest?
Each operating system uses a different version of openssl...
Gerald
They do use different openssl version, Debian - 3.0.9 Ubuntu - 3.0.2 Rocky - 3.0.7 Centos - 1.0.2k later upgraded to 3.0.0 Can you share what version of openssl should be used? If that makes difference? Maciej
wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka <maciejkowalkati@gmail.com> napisał:
wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt@spamcop.net> napisał:
On 08.08.23 07:32, Maciej Kowalka wrote:
pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka < maciejkowalkati@gmail.com> napisał:
czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <
aland@deployingradius.com>
napisał:
On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <maciejkowalkati@gmail.com
wrote:
Ok, to check if my certificates are not ok I've tried the certificates that are created during installation of freeradius and I get the same warning about the untrusted certs.
Then something else is going wrong. The default configuration and certificates do not use any intermediate certs. And the server is configured to trust the certs.
Are they supposed to work correctly, without any problems? Or it might be a openssl bug? When I use openssl command to check certificates I get no errors, all are verified "ok".
Something is broken in your local system. I don't know what.
For now, just ignore the errors.
Alan DeKok.
I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I get the same warning as on current machine.
I also installed freeradous 3.0 on a centos 7 but on it I don't get eny warning, even with mine intermediate CA certs. So I think it might be something with the OS or the radius itself. I'll try running freeradius 3.0 on Ubuntu to check if has the same result.
To summarize, I've tested 4 different Linux systems and freeradius configurations for eap-tls:
- Debian 12 and freeradius 3.2.3 default configuration and default certs gives warnings,
- Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with stock configuration and certs also gives warnings,
- Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default certs or my certs works without warnings,
- Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
Only on centos 7 I don't get the certificate chain untrusted warning. All the systems are freshly installed with just changed default authentication to eap and added switch to clients.
Is the package for Centos in any special way different than the rest?
Each operating system uses a different version of openssl...
Gerald
They do use different openssl version, Debian - 3.0.9 Ubuntu - 3.0.2 Rocky - 3.0.7 Centos - 1.0.2k later upgraded to 3.0.0
Can you share what version of openssl should be used? If that makes difference?
Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the same warnings. Now the only difference is the os itself Maciej
On 08.08.23 11:27, Maciej Kowalka wrote:
wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka <maciejkowalkati@gmail.com> napisał:
wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt@spamcop.net> napisał:
On 08.08.23 07:32, Maciej Kowalka wrote:
pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka < maciejkowalkati@gmail.com> napisał:
czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <
aland@deployingradius.com>
napisał:
On Aug 3, 2023, at 1:16 PM, Maciej Kowalka <maciejkowalkati@gmail.com
wrote: > Ok, to check if my certificates are not ok I've tried the certificates that > are created during installation of freeradius and I get the same warning > about the untrusted certs.
Then something else is going wrong. The default configuration and certificates do not use any intermediate certs. And the server is configured to trust the certs.
> Are they supposed to work correctly, without any problems? > Or it might be a openssl bug? When I use openssl command to check > certificates I get no errors, all are verified "ok".
Something is broken in your local system. I don't know what.
For now, just ignore the errors.
Alan DeKok.
I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I get the same warning as on current machine.
I also installed freeradous 3.0 on a centos 7 but on it I don't get eny warning, even with mine intermediate CA certs. So I think it might be something with the OS or the radius itself. I'll try running freeradius 3.0 on Ubuntu to check if has the same result.
To summarize, I've tested 4 different Linux systems and freeradius configurations for eap-tls:
- Debian 12 and freeradius 3.2.3 default configuration and default certs gives warnings,
- Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with stock configuration and certs also gives warnings,
- Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default certs or my certs works without warnings,
- Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
Only on centos 7 I don't get the certificate chain untrusted warning. All the systems are freshly installed with just changed default authentication to eap and added switch to clients.
Is the package for Centos in any special way different than the rest?
Each operating system uses a different version of openssl...
Gerald
They do use different openssl version, Debian - 3.0.9 Ubuntu - 3.0.2 Rocky - 3.0.7 Centos - 1.0.2k later upgraded to 3.0.0
Can you share what version of openssl should be used? If that makes difference?
Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the same warnings. Now the only difference is the os itself
You are aware, that installing some version and using it are two different things? Did you verify that freeradius is actually using that version? -Gerald
wt., 8 sie 2023, 12:26 użytkownik Gerald Vogt <vogt@spamcop.net> napisał:
On 08.08.23 11:27, Maciej Kowalka wrote:
wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka < maciejkowalkati@gmail.com> napisał:
wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt@spamcop.net> napisał:
On 08.08.23 07:32, Maciej Kowalka wrote:
pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka < maciejkowalkati@gmail.com> napisał:
czw., 3 sie 2023, 20:29 użytkownik Alan DeKok <
aland@deployingradius.com>
napisał:
> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka < maciejkowalkati@gmail.com
> wrote: >> Ok, to check if my certificates are not ok I've tried the certificates > that >> are created during installation of freeradius and I get the same warning >> about the untrusted certs. > > Then something else is going wrong. The default configuration and > certificates do not use any intermediate certs. And the server is > configured to trust the certs. > >> Are they supposed to work correctly, without any problems? >> Or it might be a openssl bug? When I use openssl command to check >> certificates I get no errors, all are verified "ok". > > Something is broken in your local system. I don't know what. > > For now, just ignore the errors. > > Alan DeKok. >
I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I get the same warning as on current machine.
I also installed freeradous 3.0 on a centos 7 but on it I don't get eny warning, even with mine intermediate CA certs. So I think it might be something with the OS or the radius itself. I'll try running freeradius 3.0 on Ubuntu to check if has the same result.
To summarize, I've tested 4 different Linux systems and freeradius configurations for eap-tls:
- Debian 12 and freeradius 3.2.3 default configuration and default certs gives warnings,
- Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with stock configuration and certs also gives warnings,
- Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default certs or my certs works without warnings,
- Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
Only on centos 7 I don't get the certificate chain untrusted warning. All the systems are freshly installed with just changed default authentication to eap and added switch to clients.
Is the package for Centos in any special way different than the rest?
Each operating system uses a different version of openssl...
Gerald
They do use different openssl version, Debian - 3.0.9 Ubuntu - 3.0.2 Rocky - 3.0.7 Centos - 1.0.2k later upgraded to 3.0.0
Can you share what version of openssl should be used? If that makes difference?
Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the same warnings. Now the only difference is the os itself
You are aware, that installing some version and using it are two different things? Did you verify that freeradius is actually using that version?
-Gerald
I've renamed the usr/bin/openssl to openssl.old and added the 1.0.2 one to the $PATH, run openssl version command and it returned the 1.0.2k version, I don't know what else could I do. Maciej
I admit I didn't read the entire history of this thread but running openssl via the command line vs using an application (here: freeradius) (dynamically) linked against the openssl *libraries* is something very different. On August 8, 2023 12:39:00 PM GMT+02:00, Maciej Kowalka <maciejkowalkati@gmail.com> wrote:
wt., 8 sie 2023, 12:26 użytkownik Gerald Vogt <vogt@spamcop.net> napisał:
On 08.08.23 11:27, Maciej Kowalka wrote:
wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka < maciejkowalkati@gmail.com> napisał:
wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt@spamcop.net> napisał:
On 08.08.23 07:32, Maciej Kowalka wrote:
pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka < maciejkowalkati@gmail.com> napisał:
> > czw., 3 sie 2023, 20:29 użytkownik Alan DeKok < aland@deployingradius.com> > napisał: > >> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka < maciejkowalkati@gmail.com
>> wrote: >>> Ok, to check if my certificates are not ok I've tried the certificates >> that >>> are created during installation of freeradius and I get the same warning >>> about the untrusted certs. >> >> Then something else is going wrong. The default configuration and >> certificates do not use any intermediate certs. And the server is >> configured to trust the certs. >> >>> Are they supposed to work correctly, without any problems? >>> Or it might be a openssl bug? When I use openssl command to check >>> certificates I get no errors, all are verified "ok". >> >> Something is broken in your local system. I don't know what. >> >> For now, just ignore the errors. >> >> Alan DeKok. >> > > I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I get the > same warning as on current machine. > > I also installed freeradous 3.0 on a centos 7 but on it I don't get eny > warning, even with mine intermediate CA certs. > So I think it might be something with the OS or the radius itself. I'll > try running freeradius 3.0 on Ubuntu to check if has the same result. >
To summarize, I've tested 4 different Linux systems and freeradius configurations for eap-tls:
- Debian 12 and freeradius 3.2.3 default configuration and default certs gives warnings,
- Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with stock configuration and certs also gives warnings,
- Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default certs or my certs works without warnings,
- Rocky linux 9.2 with freeradius 3.2.3 gives the warnings.
Only on centos 7 I don't get the certificate chain untrusted warning. All the systems are freshly installed with just changed default authentication to eap and added switch to clients.
Is the package for Centos in any special way different than the rest?
Each operating system uses a different version of openssl...
Gerald
They do use different openssl version, Debian - 3.0.9 Ubuntu - 3.0.2 Rocky - 3.0.7 Centos - 1.0.2k later upgraded to 3.0.0
Can you share what version of openssl should be used? If that makes difference?
Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the same warnings. Now the only difference is the os itself
You are aware, that installing some version and using it are two different things? Did you verify that freeradius is actually using that version?
-Gerald
I've renamed the usr/bin/openssl to openssl.old and added the 1.0.2 one to the $PATH, run openssl version command and it returned the 1.0.2k version, I don't know what else could I do.
Maciej
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You might be right, the openssl I installed might not be used by freeradius, I'm not a Linux expert neither a freeradius expert, I'm just trying diffent stuff to make it work, currently without success. So if that's the case wold the openssl be broken in 3 versions 3.0.9 3.0.7 and 3.0.2? That are downloaded with freeradius? Or how do I check the version of openssl used by freeradius? wt., 8 sie 2023, 12:46 użytkownik marki <jm+freeradiususer@roth.lu> napisał:
I admit I didn't read the entire history of this thread but running openssl via the command line vs using an application (here: freeradius) (dynamically) linked against the openssl *libraries* is something very different.
wt., 8 sie 2023, 12:26 użytkownik Gerald Vogt <vogt@spamcop.net> napisał:
On 08.08.23 11:27, Maciej Kowalka wrote:
wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka < maciejkowalkati@gmail.com> napisał:
wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt@spamcop.net> napisał:
On 08.08.23 07:32, Maciej Kowalka wrote: > pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka < maciejkowalkati@gmail.com> > napisał: > >> >> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok < aland@deployingradius.com> >> napisał: >> >>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka < maciejkowalkati@gmail.com > >>> wrote: >>>> Ok, to check if my certificates are not ok I've tried the certificates >>> that >>>> are created during installation of freeradius and I get the same warning >>>> about the untrusted certs. >>> >>> Then something else is going wrong. The default configuration and >>> certificates do not use any intermediate certs. And the server is >>> configured to trust the certs. >>> >>>> Are they supposed to work correctly, without any problems? >>>> Or it might be a openssl bug? When I use openssl command to check >>>> certificates I get no errors, all are verified "ok". >>> >>> Something is broken in your local system. I don't know what. >>> >>> For now, just ignore the errors. >>> >>> Alan DeKok. >>> >> >> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I get the >> same warning as on current machine. >> >> I also installed freeradous 3.0 on a centos 7 but on it I don't get eny >> warning, even with mine intermediate CA certs. >> So I think it might be something with the OS or the radius itself. I'll >> try running freeradius 3.0 on Ubuntu to check if has the same result. >> > > To summarize, I've tested 4 different Linux systems and freeradius > configurations for eap-tls: > > - Debian 12 and freeradius 3.2.3 default configuration and default certs > gives warnings, > > - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both with stock > configuration and certs also gives warnings, > > - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either default certs > or my certs works without warnings, > > - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings. > > Only on centos 7 I don't get the certificate chain untrusted warning. > All the systems are freshly installed with just changed default > authentication to eap and added switch to clients. > > Is the package for Centos in any special way different than the rest?
Each operating system uses a different version of openssl...
Gerald
They do use different openssl version, Debian - 3.0.9 Ubuntu - 3.0.2 Rocky - 3.0.7 Centos - 1.0.2k later upgraded to 3.0.0
Can you share what version of openssl should be used? If that makes difference?
Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the same warnings. Now the only difference is the os itself
You are aware, that installing some version and using it are two different things? Did you verify that freeradius is actually using that version?
-Gerald
I've renamed the usr/bin/openssl to openssl.old and added the 1.0.2 one to the $PATH, run openssl version command and it returned the 1.0.2k version, I don't know what else could I do.
Maciej
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On August 8, 2023 12:39:00 PM GMT+02:00, Maciej Kowalka < maciejkowalkati@gmail.com> wrote: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Try ldd on the binary? To use a nonstandard path for those libraries may require option passed to configure -c Sent from my iPhone > On Aug 8, 2023, at 07:09, Maciej Kowalka <maciejkowalkati@gmail.com> wrote: > > You might be right, the openssl I installed might not be used by > freeradius, I'm not a Linux expert neither a freeradius expert, I'm just > trying diffent stuff to make it work, currently without success. So if > that's the case wold the openssl be broken in 3 versions 3.0.9 3.0.7 and > 3.0.2? That are downloaded with freeradius? Or how do I check the version > of openssl used by freeradius? > > > wt., 8 sie 2023, 12:46 użytkownik marki <jm+freeradiususer@roth.lu> napisał: > >> I admit I didn't read the entire history of this thread but running >> openssl via the command line vs using an application (here: freeradius) >> (dynamically) linked against the openssl *libraries* is something very >> different. >> >>> On August 8, 2023 12:39:00 PM GMT+02:00, Maciej Kowalka < >>> maciejkowalkati@gmail.com> wrote: >>> wt., 8 sie 2023, 12:26 użytkownik Gerald Vogt <vogt@spamcop.net> napisał: >>> >>>> On 08.08.23 11:27, Maciej Kowalka wrote: >>>>> wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka < >>>> maciejkowalkati@gmail.com> >>>>> napisał: >>>>> >>>>>> wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt@spamcop.net> >>>> napisał: >>>>>> >>>>>>> On 08.08.23 07:32, Maciej Kowalka wrote: >>>>>>>> pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka < >>>>>>> maciejkowalkati@gmail.com> >>>>>>>> napisał: >>>>>>>> >>>>>>>>> >>>>>>>>> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok < >>>>>>> aland@deployingradius.com> >>>>>>>>> napisał: >>>>>>>>> >>>>>>>>>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka < >>>> maciejkowalkati@gmail.com >>>>>>>> >>>>>>>>>> wrote: >>>>>>>>>>> Ok, to check if my certificates are not ok I've tried the >>>>>>> certificates >>>>>>>>>> that >>>>>>>>>>> are created during installation of freeradius and I get the same >>>>>>> warning >>>>>>>>>>> about the untrusted certs. >>>>>>>>>> >>>>>>>>>> Then something else is going wrong. The default >> configuration >>>> and >>>>>>>>>> certificates do not use any intermediate certs. And the server >> is >>>>>>>>>> configured to trust the certs. >>>>>>>>>> >>>>>>>>>>> Are they supposed to work correctly, without any problems? >>>>>>>>>>> Or it might be a openssl bug? When I use openssl command to >> check >>>>>>>>>>> certificates I get no errors, all are verified "ok". >>>>>>>>>> >>>>>>>>>> Something is broken in your local system. I don't know what. >>>>>>>>>> >>>>>>>>>> For now, just ignore the errors. >>>>>>>>>> >>>>>>>>>> Alan DeKok. >>>>>>>>>> >>>>>>>>> >>>>>>>>> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and I >>>> get >>>>>>> the >>>>>>>>> same warning as on current machine. >>>>>>>>> >>>>>>>>> I also installed freeradous 3.0 on a centos 7 but on it I don't >> get >>>> eny >>>>>>>>> warning, even with mine intermediate CA certs. >>>>>>>>> So I think it might be something with the OS or the radius itself. >>>> I'll >>>>>>>>> try running freeradius 3.0 on Ubuntu to check if has the same >> result. >>>>>>>>> >>>>>>>> >>>>>>>> To summarize, I've tested 4 different Linux systems and freeradius >>>>>>>> configurations for eap-tls: >>>>>>>> >>>>>>>> - Debian 12 and freeradius 3.2.3 default configuration and default >>>> certs >>>>>>>> gives warnings, >>>>>>>> >>>>>>>> - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both >> with >>>>>>> stock >>>>>>>> configuration and certs also gives warnings, >>>>>>>> >>>>>>>> - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either >> default >>>>>>> certs >>>>>>>> or my certs works without warnings, >>>>>>>> >>>>>>>> - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings. >>>>>>>> >>>>>>>> Only on centos 7 I don't get the certificate chain untrusted >> warning. >>>>>>>> All the systems are freshly installed with just changed default >>>>>>>> authentication to eap and added switch to clients. >>>>>>>> >>>>>>>> Is the package for Centos in any special way different than the >> rest? >>>>>>> >>>>>>> Each operating system uses a different version of openssl... >>>>>>> >>>>>>> Gerald >>>>>>> >>>>>> >>>>>> They do use different openssl version, >>>>>> Debian - 3.0.9 >>>>>> Ubuntu - 3.0.2 >>>>>> Rocky - 3.0.7 >>>>>> Centos - 1.0.2k later upgraded to 3.0.0 >>>>>> >>>>>> Can you share what version of openssl should be used? If that makes >>>>>> difference? >>>>>> >>>>> >>>>> Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the >> same >>>>> warnings. >>>>> Now the only difference is the os itself >>>> >>>> You are aware, that installing some version and using it are two >>>> different things? Did you verify that freeradius is actually using that >>>> version? >>>> >>>> -Gerald >>>> >>> >>> I've renamed the usr/bin/openssl to openssl.old and added the 1.0.2 one to >>> the $PATH, run openssl version command and it returned the 1.0.2k version, >>> I don't know what else could I do. >>> >>> Maciej >>> >>>> >>> - >>> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It returned libssl.so.3 so I assume it still uses the original openssl. That's unfortunate. Any other ideas what to check/change? Maciej wt., 8 sie 2023, 13:22 użytkownik Coy Hile <coy.hile@coyhile.com> napisał: > Try ldd on the binary? To use a nonstandard path for those libraries may > require option passed to configure > > -c > > Sent from my iPhone > > > On Aug 8, 2023, at 07:09, Maciej Kowalka <maciejkowalkati@gmail.com> > wrote: > > > > You might be right, the openssl I installed might not be used by > > freeradius, I'm not a Linux expert neither a freeradius expert, I'm just > > trying diffent stuff to make it work, currently without success. So if > > that's the case wold the openssl be broken in 3 versions 3.0.9 3.0.7 and > > 3.0.2? That are downloaded with freeradius? Or how do I check the version > > of openssl used by freeradius? > > > > > > wt., 8 sie 2023, 12:46 użytkownik marki <jm+freeradiususer@roth.lu> > napisał: > > > >> I admit I didn't read the entire history of this thread but running > >> openssl via the command line vs using an application (here: freeradius) > >> (dynamically) linked against the openssl *libraries* is something very > >> different. > >> > >>> On August 8, 2023 12:39:00 PM GMT+02:00, Maciej Kowalka < > >>> maciejkowalkati@gmail.com> wrote: > >>> wt., 8 sie 2023, 12:26 użytkownik Gerald Vogt <vogt@spamcop.net> > napisał: > >>> > >>>> On 08.08.23 11:27, Maciej Kowalka wrote: > >>>>> wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka < > >>>> maciejkowalkati@gmail.com> > >>>>> napisał: > >>>>> > >>>>>> wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt@spamcop.net> > >>>> napisał: > >>>>>> > >>>>>>> On 08.08.23 07:32, Maciej Kowalka wrote: > >>>>>>>> pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka < > >>>>>>> maciejkowalkati@gmail.com> > >>>>>>>> napisał: > >>>>>>>> > >>>>>>>>> > >>>>>>>>> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok < > >>>>>>> aland@deployingradius.com> > >>>>>>>>> napisał: > >>>>>>>>> > >>>>>>>>>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka < > >>>> maciejkowalkati@gmail.com > >>>>>>>> > >>>>>>>>>> wrote: > >>>>>>>>>>> Ok, to check if my certificates are not ok I've tried the > >>>>>>> certificates > >>>>>>>>>> that > >>>>>>>>>>> are created during installation of freeradius and I get the > same > >>>>>>> warning > >>>>>>>>>>> about the untrusted certs. > >>>>>>>>>> > >>>>>>>>>> Then something else is going wrong. The default > >> configuration > >>>> and > >>>>>>>>>> certificates do not use any intermediate certs. And the server > >> is > >>>>>>>>>> configured to trust the certs. > >>>>>>>>>> > >>>>>>>>>>> Are they supposed to work correctly, without any problems? > >>>>>>>>>>> Or it might be a openssl bug? When I use openssl command to > >> check > >>>>>>>>>>> certificates I get no errors, all are verified "ok". > >>>>>>>>>> > >>>>>>>>>> Something is broken in your local system. I don't know what. > >>>>>>>>>> > >>>>>>>>>> For now, just ignore the errors. > >>>>>>>>>> > >>>>>>>>>> Alan DeKok. > >>>>>>>>>> > >>>>>>>>> > >>>>>>>>> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 and > I > >>>> get > >>>>>>> the > >>>>>>>>> same warning as on current machine. > >>>>>>>>> > >>>>>>>>> I also installed freeradous 3.0 on a centos 7 but on it I don't > >> get > >>>> eny > >>>>>>>>> warning, even with mine intermediate CA certs. > >>>>>>>>> So I think it might be something with the OS or the radius > itself. > >>>> I'll > >>>>>>>>> try running freeradius 3.0 on Ubuntu to check if has the same > >> result. > >>>>>>>>> > >>>>>>>> > >>>>>>>> To summarize, I've tested 4 different Linux systems and freeradius > >>>>>>>> configurations for eap-tls: > >>>>>>>> > >>>>>>>> - Debian 12 and freeradius 3.2.3 default configuration and default > >>>> certs > >>>>>>>> gives warnings, > >>>>>>>> > >>>>>>>> - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both > >> with > >>>>>>> stock > >>>>>>>> configuration and certs also gives warnings, > >>>>>>>> > >>>>>>>> - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either > >> default > >>>>>>> certs > >>>>>>>> or my certs works without warnings, > >>>>>>>> > >>>>>>>> - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings. > >>>>>>>> > >>>>>>>> Only on centos 7 I don't get the certificate chain untrusted > >> warning. > >>>>>>>> All the systems are freshly installed with just changed default > >>>>>>>> authentication to eap and added switch to clients. > >>>>>>>> > >>>>>>>> Is the package for Centos in any special way different than the > >> rest? > >>>>>>> > >>>>>>> Each operating system uses a different version of openssl... > >>>>>>> > >>>>>>> Gerald > >>>>>>> > >>>>>> > >>>>>> They do use different openssl version, > >>>>>> Debian - 3.0.9 > >>>>>> Ubuntu - 3.0.2 > >>>>>> Rocky - 3.0.7 > >>>>>> Centos - 1.0.2k later upgraded to 3.0.0 > >>>>>> > >>>>>> Can you share what version of openssl should be used? If that makes > >>>>>> difference? > >>>>>> > >>>>> > >>>>> Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the > >> same > >>>>> warnings. > >>>>> Now the only difference is the os itself > >>>> > >>>> You are aware, that installing some version and using it are two > >>>> different things? Did you verify that freeradius is actually using > that > >>>> version? > >>>> > >>>> -Gerald > >>>> > >>> > >>> I've renamed the usr/bin/openssl to openssl.old and added the 1.0.2 > one to > >>> the $PATH, run openssl version command and it returned the 1.0.2k > version, > >>> I don't know what else could I do. > >>> > >>> Maciej > >>> > >>>> > >>> - > >>> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
Can anyone po it me to where from is the openssl command and files passed from freeradius to openssl when it does it's verification, maybe the it's using wrong syntax or the files are not passed correctly so the openssl doesn't acknowledge their existence. Maciej wt., 8 sie 2023, 13:42 użytkownik Maciej Kowalka <maciejkowalkati@gmail.com> napisał: > It returned libssl.so.3 so I assume it still uses the original openssl. > That's unfortunate. Any other ideas what to check/change? > > Maciej > > wt., 8 sie 2023, 13:22 użytkownik Coy Hile <coy.hile@coyhile.com> napisał: > >> Try ldd on the binary? To use a nonstandard path for those libraries may >> require option passed to configure >> >> -c >> >> Sent from my iPhone >> >> > On Aug 8, 2023, at 07:09, Maciej Kowalka <maciejkowalkati@gmail.com> >> wrote: >> > >> > You might be right, the openssl I installed might not be used by >> > freeradius, I'm not a Linux expert neither a freeradius expert, I'm just >> > trying diffent stuff to make it work, currently without success. So if >> > that's the case wold the openssl be broken in 3 versions 3.0.9 3.0.7 and >> > 3.0.2? That are downloaded with freeradius? Or how do I check the >> version >> > of openssl used by freeradius? >> > >> > >> > wt., 8 sie 2023, 12:46 użytkownik marki <jm+freeradiususer@roth.lu> >> napisał: >> > >> >> I admit I didn't read the entire history of this thread but running >> >> openssl via the command line vs using an application (here: freeradius) >> >> (dynamically) linked against the openssl *libraries* is something very >> >> different. >> >> >> >>> On August 8, 2023 12:39:00 PM GMT+02:00, Maciej Kowalka < >> >>> maciejkowalkati@gmail.com> wrote: >> >>> wt., 8 sie 2023, 12:26 użytkownik Gerald Vogt <vogt@spamcop.net> >> napisał: >> >>> >> >>>> On 08.08.23 11:27, Maciej Kowalka wrote: >> >>>>> wt., 8 sie 2023, 08:46 użytkownik Maciej Kowalka < >> >>>> maciejkowalkati@gmail.com> >> >>>>> napisał: >> >>>>> >> >>>>>> wt., 8 sie 2023, 07:36 użytkownik Gerald Vogt <vogt@spamcop.net> >> >>>> napisał: >> >>>>>> >> >>>>>>> On 08.08.23 07:32, Maciej Kowalka wrote: >> >>>>>>>> pt., 4 sie 2023, 12:46 użytkownik Maciej Kowalka < >> >>>>>>> maciejkowalkati@gmail.com> >> >>>>>>>> napisał: >> >>>>>>>> >> >>>>>>>>> >> >>>>>>>>> czw., 3 sie 2023, 20:29 użytkownik Alan DeKok < >> >>>>>>> aland@deployingradius.com> >> >>>>>>>>> napisał: >> >>>>>>>>> >> >>>>>>>>>> On Aug 3, 2023, at 1:16 PM, Maciej Kowalka < >> >>>> maciejkowalkati@gmail.com >> >>>>>>>> >> >>>>>>>>>> wrote: >> >>>>>>>>>>> Ok, to check if my certificates are not ok I've tried the >> >>>>>>> certificates >> >>>>>>>>>> that >> >>>>>>>>>>> are created during installation of freeradius and I get the >> same >> >>>>>>> warning >> >>>>>>>>>>> about the untrusted certs. >> >>>>>>>>>> >> >>>>>>>>>> Then something else is going wrong. The default >> >> configuration >> >>>> and >> >>>>>>>>>> certificates do not use any intermediate certs. And the server >> >> is >> >>>>>>>>>> configured to trust the certs. >> >>>>>>>>>> >> >>>>>>>>>>> Are they supposed to work correctly, without any problems? >> >>>>>>>>>>> Or it might be a openssl bug? When I use openssl command to >> >> check >> >>>>>>>>>>> certificates I get no errors, all are verified "ok". >> >>>>>>>>>> >> >>>>>>>>>> Something is broken in your local system. I don't know >> what. >> >>>>>>>>>> >> >>>>>>>>>> For now, just ignore the errors. >> >>>>>>>>>> >> >>>>>>>>>> Alan DeKok. >> >>>>>>>>>> >> >>>>>>>>> >> >>>>>>>>> I've installed Ubuntu 22 on another vm with freeradius 3.2.3 >> and I >> >>>> get >> >>>>>>> the >> >>>>>>>>> same warning as on current machine. >> >>>>>>>>> >> >>>>>>>>> I also installed freeradous 3.0 on a centos 7 but on it I don't >> >> get >> >>>> eny >> >>>>>>>>> warning, even with mine intermediate CA certs. >> >>>>>>>>> So I think it might be something with the OS or the radius >> itself. >> >>>> I'll >> >>>>>>>>> try running freeradius 3.0 on Ubuntu to check if has the same >> >> result. >> >>>>>>>>> >> >>>>>>>> >> >>>>>>>> To summarize, I've tested 4 different Linux systems and >> freeradius >> >>>>>>>> configurations for eap-tls: >> >>>>>>>> >> >>>>>>>> - Debian 12 and freeradius 3.2.3 default configuration and >> default >> >>>> certs >> >>>>>>>> gives warnings, >> >>>>>>>> >> >>>>>>>> - Ubuntu 22.04 with freeradius 3.0.26 and freeradius 3.2.3 both >> >> with >> >>>>>>> stock >> >>>>>>>> configuration and certs also gives warnings, >> >>>>>>>> >> >>>>>>>> - Centos 7 with freeradius 3.2.3 and 3.0.26 both with either >> >> default >> >>>>>>> certs >> >>>>>>>> or my certs works without warnings, >> >>>>>>>> >> >>>>>>>> - Rocky linux 9.2 with freeradius 3.2.3 gives the warnings. >> >>>>>>>> >> >>>>>>>> Only on centos 7 I don't get the certificate chain untrusted >> >> warning. >> >>>>>>>> All the systems are freshly installed with just changed default >> >>>>>>>> authentication to eap and added switch to clients. >> >>>>>>>> >> >>>>>>>> Is the package for Centos in any special way different than the >> >> rest? >> >>>>>>> >> >>>>>>> Each operating system uses a different version of openssl... >> >>>>>>> >> >>>>>>> Gerald >> >>>>>>> >> >>>>>> >> >>>>>> They do use different openssl version, >> >>>>>> Debian - 3.0.9 >> >>>>>> Ubuntu - 3.0.2 >> >>>>>> Rocky - 3.0.7 >> >>>>>> Centos - 1.0.2k later upgraded to 3.0.0 >> >>>>>> >> >>>>>> Can you share what version of openssl should be used? If that makes >> >>>>>> difference? >> >>>>>> >> >>>>> >> >>>>> Ok, so I've installed openssl 1.0.2k on Ubuntu and I get still the >> >> same >> >>>>> warnings. >> >>>>> Now the only difference is the os itself >> >>>> >> >>>> You are aware, that installing some version and using it are two >> >>>> different things? Did you verify that freeradius is actually using >> that >> >>>> version? >> >>>> >> >>>> -Gerald >> >>>> >> >>> >> >>> I've renamed the usr/bin/openssl to openssl.old and added the 1.0.2 >> one to >> >>> the $PATH, run openssl version command and it returned the 1.0.2k >> version, >> >>> I don't know what else could I do. >> >>> >> >>> Maciej >> >>> >> >>>> >> >>> - >> >>> List info/subscribe/unsubscribe? See >> >> http://www.freeradius.org/list/users.html >> >> - >> >> List info/subscribe/unsubscribe? See >> >> http://www.freeradius.org/list/users.html >> >> >> > - >> > List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >
participants (5)
-
Alan DeKok -
Coy Hile -
Gerald Vogt -
Maciej Kowalka -
marki