Hello, I tried test FR 3.0.3. During parsing configuration files FR goes down with segmentation fault. I'm using radsec tunnels. Used configuration files are from previous git version. /usr/sbin/freeradius -C Segmentation fault (gdb) run Starting program: /usr/sbin/freeradius [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff71f5133 in CRYPTO_set_ex_data () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (gdb) bt #0 0x00007ffff71f5133 in CRYPTO_set_ex_data () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #1 0x00000000004331ae in init_tls_ctx (conf=conf@entry=0x821700, client=client@entry=1) at src/main/tls.c:2009 #2 0x0000000000436ef7 in tls_client_conf_parse (cs=cs@entry=0x846dd0) at src/main/tls.c:2484 #3 0x000000000042ef68 in home_server_add (rc=rc@entry=0x81d4a0, cs=cs@entry=0x845ec0) at src/main/realms.c:663 #4 0x0000000000430cbb in realms_init (config=config@entry=0x65eb00) at src/main/realms.c:1885 #5 0x000000000041b841 in mainconfig_init () at src/main/mainconfig.c:919 #6 0x000000000040e6ec in main (argc=1, argv=0x7fffffffec88) at src/main/radiusd.c:331 /usr/sbin/freeradius -X freeradius: FreeRADIUS Version 3.0.3 (git #8a79342), for host x86_64-pc-linux-gnu, built on Apr 22 2014 at 13:10:22 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /etc/freeradius/dictionary including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/sradutmp including configuration file /etc/freeradius/mods-enabled/passwd including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/digest including configuration file /etc/freeradius/mods-enabled/pap including configuration file /etc/freeradius/mods-enabled/dhcp including configuration file /etc/freeradius/mods-enabled/preprocess including configuration file /etc/freeradius/mods-enabled/ldap including configuration file /etc/freeradius/mods-enabled/linelog including configuration file /etc/freeradius/mods-enabled/utf8 including configuration file /etc/freeradius/mods-enabled/replicate including configuration file /etc/freeradius/mods-enabled/attr_filter including configuration file /etc/freeradius/mods-enabled/unix including configuration file /etc/freeradius/mods-enabled/files including configuration file /etc/freeradius/mods-enabled/exec including configuration file /etc/freeradius/mods-enabled/expr including configuration file /etc/freeradius/mods-enabled/detail.log including configuration file /etc/freeradius/mods-enabled/mschap including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/chap including configuration file /etc/freeradius/mods-enabled/realm including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/radutmp including configuration file /etc/freeradius/mods-enabled/soh including configuration file /etc/freeradius/mods-enabled/cache_eap including configuration file /etc/freeradius/mods-enabled/dynamic_clients including configuration file /etc/freeradius/mods-enabled/unpack including configuration file /etc/freeradius/mods-enabled/always including configuration file /etc/freeradius/mods-enabled/echo including configuration file /etc/freeradius/mods-enabled/eap including configuration file /etc/freeradius/mods-enabled/ntlm_auth including files in directory /etc/freeradius/policy.d/ including configuration file /etc/freeradius/policy.d/control including configuration file /etc/freeradius/policy.d/dhcp including configuration file /etc/freeradius/policy.d/operator-name including configuration file /etc/freeradius/policy.d/canonicalization including configuration file /etc/freeradius/policy.d/filter including configuration file /etc/freeradius/policy.d/accounting including configuration file /etc/freeradius/policy.d/cui including configuration file /etc/freeradius/policy.d/eap including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/tls including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { security { user = "freerad" group = "freerad" allow_core_dumps = no } } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes msg_badpass = "bad_pass: " msg_goodpass = "good_pass: " colourise = no msg_denied = "You are already logged in - access denied" } security { max_attributes = 200 reject_delay = 1 status_server = yes allow_vulnerable_openssl = "no" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server tls { ipaddr = radius1.eduroam.cz IP address [195.113.187.22] port = 2083 type = "auth" proto = "tcp" secret = <<< secret >>> response_window = 30 max_outstanding = 65536 zombie_period = 40 status_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 revive_interval = 300 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/radius.key" certificate_file = "/etc/freeradius/certs/radius.crt" dh_file = "/etc/freeradius/certs/dh" random_file = "/etc/freeradius/certs/random" fragment_size = 8192 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" } Segmentation fault Previous version works almost well. Thanks for tips Pavel Polacek -- Pavel Polacek tel: +420 47 528 6253 Oddeleni spravy site email: pavel.polacek@ujep.cz Centrum Informatiky Pasteurova 1 400 01 Usti nad Labem ********************************************************** * starnem a porad nic, rozum jako kdyby se nam vyhybal * **********************************************************
Polish wrote:
Hello,
I tried test FR 3.0.3. During parsing configuration files FR goes down with segmentation fault. I'm using radsec tunnels. Used configuration files are from previous git version.
/usr/sbin/freeradius -C Segmentation fault
(gdb) run Starting program: /usr/sbin/freeradius [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault. 0x00007ffff71f5133 in CRYPTO_set_ex_data () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (gdb) bt #0 0x00007ffff71f5133 in CRYPTO_set_ex_data () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 #1 0x00000000004331ae in init_tls_ctx (conf=conf@entry=0x821700, client=client@entry=1) at src/main/tls.c:2009
My guess is that SSL_CTX_New() is returning a NULL context. i.e. it can't create one. If you could confirm that with gdb, it would help. I'm not sure how to avoid the problem, but I can add a check which prevents it from crashing.
fragment_size = 8192
Please don't do that. It will very likely not work. That fragment size is larger than the allowed RADIUS packets. The fragment_size should be set to more than 1000 bytes, and less than 4000 bytes. Alan DeKok.
Hello Alan,
My guess is that SSL_CTX_New() is returning a NULL context. i.e. it can't create one. If you could confirm that with gdb, it would help.
Breakpoint 1, init_tls_ctx (conf=conf@entry=0x821d60, client=client@entry=1) at src/main/tls.c:1987 1987 { (gdb) s 2003 ctx = SSL_CTX_new(TLSv1_method()); (gdb) s 2009 SSL_CTX_set_app_data(ctx, conf); (gdb) p ctx $1 = <optimized out> (gdb) s 2003 ctx = SSL_CTX_new(TLSv1_method()); (gdb) s 2009 SSL_CTX_set_app_data(ctx, conf); (gdb) p ctx $2 = (SSL_CTX *) 0x0 (gdb) s Program received signal SIGSEGV, Segmentation fault. 0x00007ffff71f5133 in CRYPTO_set_ex_data () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 Is succicient?
I'm not sure how to avoid the problem, but I can add a check which prevents it from crashing.
fragment_size = 8192
Please don't do that. It will very likely not work. That fragment size is larger than the allowed RADIUS packets. The fragment_size should be set to more than 1000 bytes, and less than 4000 bytes.
Alan DeKok.
Hello, On Wed, 23 Apr 2014, Alan DeKok wrote:
Polish wrote:
2009 SSL_CTX_set_app_data(ctx, conf); (gdb) p ctx $2 = (SSL_CTX *) 0x0 (gdb) s
...
Is succicient?
Yes. Please grab the v3.0.x branch from github. I don't know why the SSL ctx is failing, but at least the server will stop crashing.
Alan DeKok.
you are right, server stop crashing. Problem is probably in sites-enabled/tls server configuration. Exists documentation how to setup radsec tls tunnel after version 3.0.2? Thank you Pavel Polacek
Polish wrote:
you are right, server stop crashing. Problem is probably in sites-enabled/tls server configuration. Exists documentation how to setup radsec tls tunnel after version 3.0.2?
Well... it should work. It works in my tests. I've pushed a minor patch so it prints out SSL errors in debug mode. That *should* tell you what is going wrong. Alan DeKok.
participants (2)
-
Alan DeKok -
Polish