Defining trusted root ca for ldaps server cert validation
Hi there, I’m searching where to define the trusted root ca for validation of the SSL certificate on ldaps connections (FR 3.0.12 with CentOS 7). I added the root ca to the system and tested ldaps connection with 'openssl s_client -connect my_ldap_server_IP:636 -CApath /etc/pki/tls/certs‘ and it returns 'Verify return code: 19 (self signed certificate in certificate chain)‘. Then I tested the trusted root ca’s at the system to be sure the correct ca’s are there with ... awk -v cmd='openssl x509 -noout -subject' \ '/BEGIN/{close(cmd)};{print | cmd}' \ < /etc/pki/tls/certs/ca-bundle.crt … and the CA is listed. Am I doing something wrong or is it a OpenSSL issue? Do I have to (or is it possible to) define the trusted root ca within Freeradius? I also didn’t quite understand what the tls section in mods-enabled/ldap is for. As far as I know ldap clients don’t need a client certificate except the LDAP configuration requires it. And in my case it isn’t. When I let ‚ca_file‘ point to my root ca, i get the following: TLS: could not add the certificate '/usr/local/etc/raddb/certs/cacert.crt' - error -8018:Unknown PKCS #11 error.. TLS: /usr/local/etc/raddb/certs/cacert.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error.. TLS: could not perform TLS system initialization. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle. I have to admit I’m not practiced with PKI. Thanks so much for help!
On May 4, 2017, at 3:51 PM, Philipp Trenz <mail@philipptrenz.de> wrote:
I’m searching where to define the trusted root ca for validation of the SSL certificate on ldaps connections (FR 3.0.12 with CentOS 7).
Read raddb/mods-available/ldap. Look for the "tls" section.
I added the root ca to the system
FreeRADIUS doesn't look in any "system" for CA certificates.
and tested ldaps connection with 'openssl s_client -connect my_ldap_server_IP:636 -CApath /etc/pki/tls/certs‘ and it returns 'Verify return code: 19 (self signed certificate in certificate chain)‘. Then I tested the trusted root ca’s at the system to be sure the correct ca’s are there with ...
awk -v cmd='openssl x509 -noout -subject' \ '/BEGIN/{close(cmd)};{print | cmd}' \ < /etc/pki/tls/certs/ca-bundle.crt
… and the CA is listed. Am I doing something wrong or is it a OpenSSL issue? Do I have to (or is it possible to) define the trusted root ca within Freeradius?
I also didn’t quite understand what the tls section in mods-enabled/ldap is for.
It's for configuring the trusted root CA for validation of the SSL certificate on ldaps connections.
As far as I know ldap clients don’t need a client certificate except the LDAP configuration requires it.
The LDAP module configuration *allows* for a client certificate. And "ldap clients don’t need a client certificate" is irrelevant. If you're connecting over TLS to anything, you should be able to use client certificates. That's how TLS works. It's independent of the protocol *inside* of the TLS session.
And in my case it isn’t. When I let ‚ca_file‘ point to my root ca, i get the following:
TLS: could not add the certificate '/usr/local/etc/raddb/certs/cacert.crt' - error -8018:Unknown PKCS #11 error.. TLS: /usr/local/etc/raddb/certs/cacert.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error..
Well, that seems clear.
TLS: could not perform TLS system initialization. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle.
I have to admit I’m not practiced with PKI.
You need to use a CA certificate. So... where did you get that cert? And if you're using CentOS, you may very well be using the RH version of the LDAP client library, which is compiled with NSS. And that is *very* incompatible with FreeRADIUS. FreeRADIUS uses OpenSSL, and NSS has a (sort of) wrapper for OpenSSL functions. Which means that using the both libraries in the same application is a recipe for disaster. It just won't work. You'll either have to use just plain LDAP, or re-build the LDAP client libraries to use OpenSSL. Alan DEKok.
hi, you'll want to use a client certificate and have the relevant server/root certificate if you want security. if you can afford for stuff to transit non secured then you can choose not to use TLS (check the option out). you only gave a small snippet of output...I would suggest that the server isnt allowed to read/access that file - hence the error. this may be file permissions, it may be selinux alan On 4 May 2017 at 20:51, Philipp Trenz <mail@philipptrenz.de> wrote:
Hi there,
I’m searching where to define the trusted root ca for validation of the SSL certificate on ldaps connections (FR 3.0.12 with CentOS 7). I added the root ca to the system and tested ldaps connection with 'openssl s_client -connect my_ldap_server_IP:636 -CApath /etc/pki/tls/certs‘ and it returns 'Verify return code: 19 (self signed certificate in certificate chain)‘. Then I tested the trusted root ca’s at the system to be sure the correct ca’s are there with ...
awk -v cmd='openssl x509 -noout -subject' \ '/BEGIN/{close(cmd)};{print | cmd}' \ < /etc/pki/tls/certs/ca-bundle.crt
… and the CA is listed. Am I doing something wrong or is it a OpenSSL issue? Do I have to (or is it possible to) define the trusted root ca within Freeradius?
I also didn’t quite understand what the tls section in mods-enabled/ldap is for. As far as I know ldap clients don’t need a client certificate except the LDAP configuration requires it. And in my case it isn’t. When I let ‚ca_file‘ point to my root ca, i get the following:
TLS: could not add the certificate '/usr/local/etc/raddb/certs/cacert.crt' - error -8018:Unknown PKCS #11 error.. TLS: /usr/local/etc/raddb/certs/cacert.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error.. TLS: could not perform TLS system initialization. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle.
I have to admit I’m not practiced with PKI.
Thanks so much for help!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan Buxey -
Alan DeKok -
Philipp Trenz