Re: virtual server configuration
It also says: # If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate.
Please read ALL of the comments in a module you are configuring. Selectively reading them means that you miss vital information.
Alan DeKok.
Except that my server cert does contain a CA cert. I'm not 100% sure it's sufficient, because it was issued from an intermediate CA (it needs to be the signer(s) not the issuer, right?), so I went to another CA got a webserver cert in pem format directly from the root. Downloaded the root CA cert in pem format and appended them.... same error: Error reading Trusted root CA list (null) Do we know this mode is working (No CA_File, but certificate file with server cert + ca cert)? In any case, I'd be willing to experiment more. -- usawebbox@fastmail.fm -- http://www.fastmail.fm - Access your email from home and the web
usawebbox@fastmail.fm wrote:
Except that my server cert does contain a CA cert. I'm not 100% sure it's sufficient, because it was issued from an intermediate CA (it needs to be the signer(s) not the issuer, right?), so I went to another CA got a webserver cert in pem format directly from the root. Downloaded the root CA cert in pem format and appended them.... same error:
You generally want to use self-signed certs for 802.1x. See raddb/certs/README
Do we know this mode is working (No CA_File, but certificate file with server cert + ca cert)? In any case, I'd be willing to experiment more.
It should work in 2.0.2. Alan DeKok.
I'm using FreeRADIUS Version 2.0.2, for host i686-suse-linux-gnu, built on Feb 14 2008 at 15:20:55 I got back to testing allowing only PEAP-GTC on one virtual server. I used the included self-signed certs this time, but as I suspected, the results were the same whenever I comment out CA_file: Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs/server.key" certificate_file = "/etc/raddb/certs/server-ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) rlm_eap_tls: Error reading Trusted root CA list (null) rlm_eap: Failed to initialize type tls I think we might be trying the wrong thing. Although the comments together say: # If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/wifiserver.pem # This parameter is used only for EAP-TLS, # when you issue client certificates. If you do # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. #CA_file = ${cadir}/wifiserver.pem The first comment might be giving you just another place to provide your CA cert, whereas the second comment clearly talks about not permiting EAP-TLS. I say this, because I don't see why the CA would be required at all if EAP-TLS will be denied. All you need is a server cert and private key. In PEAP, the client is the one who needs the CA cert, if he wants to verify the server cert, but even that is optional. Anyway, can we say now that not providing a CA_file doesn't work? If there's something else I should test, just mention it. Thanks. On Thu, 13 Mar 2008 11:58:48 +0100, "Alan DeKok" <aland@deployingradius.com> said:
usawebbox@fastmail.fm wrote:
Except that my server cert does contain a CA cert. I'm not 100% sure it's sufficient, because it was issued from an intermediate CA (it needs to be the signer(s) not the issuer, right?), so I went to another CA got a webserver cert in pem format directly from the root. Downloaded the root CA cert in pem format and appended them.... same error:
You generally want to use self-signed certs for 802.1x. See raddb/certs/README
Do we know this mode is working (No CA_File, but certificate file with server cert + ca cert)? In any case, I'd be willing to experiment more.
It should work in 2.0.2.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --
usawebbox@fastmail.fm -- http://www.fastmail.fm - I mean, what is it about a decent email service?
usawebbox@fastmail.fm wrote:
The first comment might be giving you just another place to provide your CA cert, whereas the second comment clearly talks about not permiting EAP-TLS. I say this, because I don't see why the CA would be required at all if EAP-TLS will be denied.
Because PEAP uses certificates, too. The requirement for a CA cert comes from the requirements on certificate chains. It is not a PEAP requirement. PEAP just inherits that requirement because PEAP uses certificates.
All you need is a server cert and private key. In PEAP, the client is the one who needs the CA cert, if he wants to verify the server cert, but even that is optional.
The CA cert is needed by OpenSSL to validate the server cert.
Anyway, can we say now that not providing a CA_file doesn't work?
Provide a CA cert as instructed, either in CA_file or in certificate_file. Alan DeKok.
On Wed, 19 Mar 2008 07:30:53 +0100, "Alan DeKok" <aland@deployingradius.com> said:
usawebbox@fastmail.fm wrote:
All you need is a server cert and private key. In PEAP, the client is the one who needs the CA cert, if he wants to verify the server cert, but even that is optional.
The CA cert is needed by OpenSSL to validate the server cert.
I did not know this. I've always provided it, but I didn't know it was required.
Anyway, can we say now that not providing a CA_file doesn't work?
Provide a CA cert as instructed, either in CA_file or in certificate_file.
I wasn't clear enough this time, but I have tried to include it in certificate_file, first with my original certs, then with certs issued from my local CA, then with the example certs created by make ca server. My eap.conf TLS section is: tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server-ca.crt #CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" } server-ca.crt is created thus: cat ca.pem server.crt > server-ca.crt In all cases the server does not initialize, with the error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) rlm_eap_tls: Error reading Trusted root CA list (null) rlm_eap: Failed to initialize type tls If I uncomment the CA_file line, then peap works normally, and the server cert is validated with ca.pem on the client side. Either I am not making the combined ca/server cert correctly, or this is not working (v2.0.2) -- usawebbox@fastmail.fm -- http://www.fastmail.fm - Send your email first class
usawebbox@fastmail.fm wrote:
In all cases the server does not initialize, with the error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) rlm_eap_tls: Error reading Trusted root CA list (null) rlm_eap: Failed to initialize type tls
<sigh> You have to love OpenSSL. When the server tries to do something it gets told that it failed because of an error. What error? None, of course!
Either I am not making the combined ca/server cert correctly, or this is not working (v2.0.2)
I think it also depends on the OpenSSL version. We're pretty much at the mercy of OpenSSL here... Alan DeKok.
participants (2)
-
Alan DeKok -
usawebbox@fastmail.fm