hello, I try to configure my freeradius-2.0.3-3.el5 to read our certicate chain with no success :-( . neither CA_file or CA_path directives works as expected in eap.conf . here's my config: /etc/raddb/eap.conf tls { certdir = ${confdir}/certs cadir = ${confdir}/certs/CA private_key_password = secret private_key_file = ${certdir}/radiux-pkiit-2008.key.pass.pem certificate_file = ${certdir}/radiux-pkiit-2008.pem CA_file = ${certdir}/pki-chain.pem #CA_path = ${cadir}/ pki-chain.pem contain the concatenation of our 3 level pki hierarchy ( cat itClass1.crt > pki-chain.pem ; cat itClass2.crt >> pki-chain.pem ; cat itClass3.crt >> pki-chain.pem ) itClass1.crt is self-signed, it signed class2 , then class2 signed class3 CA and finnaly class3 signed radiux-pkiit-2008.pem SSL server . Then, how can I tell freeradius to load that pki-chain.pem ? setting it in CA_file doesn't seem to work, as clients with itClass1.crt loaded cannot negociate TLS handshake with the freeradius server :-( Using the CA_path directive with a certs/CA directory containing the 3 classes certificate in PEM format + a hash on them , generate a segmentation fault on the start of radiusd :-( . is CA_path deprecated ? how should the certificate and hash in that CA_path should be presented ? I heard about C_rehash but cannot find it. Please let me know how to tell radiusd/eap to load my self signed 3 level hierarchy pki . Thanks.
pki-chain.pem contain the concatenation of our 3 level pki hierarchy ( cat itClass1.crt > pki-chain.pem ; cat itClass2.crt >> pki-chain.pem ; cat itClass3.crt >> pki-chain.pem )
Did you find somewhere in openssl documentation that you can mix .pem and crt formats like that? Ivan Kalik Kalik Informatika ISP
tnt@kalik.net a écrit :
pki-chain.pem contain the concatenation of our 3 level pki hierarchy ( cat itClass1.crt > pki-chain.pem ; cat itClass2.crt >> pki-chain.pem ; cat itClass3.crt >> pki-chain.pem )
Did you find somewhere in openssl documentation that you can mix .pem and crt formats like that?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
well ... my .crt files are in PEM format (not ASN1/DER ). I should rename them to .pem ... but after the concatenations, finally the pki-chain.pem contains 3 instances of BEGIN -- END certificate isn't it correct ? what about that CA_path directive ? why is it generating a segmentation fault when starting radiusd ? thanks.
Alan DeKok a écrit :
Jehan PROCACCIA wrote:
what about that CA_path directive ? why is it generating a segmentation fault when starting radiusd ?
See doc/bugs
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a link would be greatly appreciated . I am reading http://wiki.freeradius.org/Eap.conf where else could I find doc/bugs about CA_path ? googling though "CA_path freeradius bug eap" didn't helped .
Jehan PROCACCIA wrote:
See doc/bugs
a link would be greatly appreciated .
Ummm... this file ships with the server. If you can't find it in the "tar" file, it's usually in /usr/share/doc/something/, depending on your local installation. See also the main web site. There's a link on EVERY page saying "report a bug". That page includes instructions for bug reporting. It's really not that hard.
I am reading http://wiki.freeradius.org/Eap.conf where else could I find doc/bugs about CA_path ? googling though "CA_path freeradius bug eap" didn't helped .
How about reading the files that come with the server, or the web pages hosted on freeradius.org? Is there any reason you're avoiding the documentation that comes with the server, and the main server web pages? Alan DeKok.
Alan DeKok a écrit :
Jehan PROCACCIA wrote:
See doc/bugs
a link would be greatly appreciated .
Ummm... this file ships with the server. If you can't find it in the "tar" file, it's usually in /usr/share/doc/something/, depending on your local installation.
See also the main web site. There's a link on EVERY page saying "report a bug". That page includes instructions for bug reporting.
It's really not that hard.
Actually I wasn't suggesting that it is a bug, my inital question is how one can use that CA_path directive and what the CA_path should contain . If it's a bug, then I should rather update my freeradius-2.0.3-3.el5 to 2.1.1 or so ? but I'am surprise to be the only one having that problem . indeed I do have a /usr/share/doc/freeradius-2.0.3 directory containing docs but nothing on the CA_path directive, neither in bugs,ChangeLog,rlm_eap or any other file. My initial question is: "how to configure eap.conf tls section to load a multi-level certificate hierarchy (CA bundle)" ? Thanks .
My initial question is: "how to configure eap.conf tls section to load a multi-level certificate hierarchy (CA bundle)" ?
The same as for a single CA. You have configured that properly. You said that server worked with a single CA but segfaulted when you replaced it with that bundle. I would suspect that there is something wrong with that certificate bundle. You should still follow instructions in doc/bugs to make sure that bundle is the problem. Ivan Kalik Kalik Informatika ISP
Jehan PROCACCIA wrote:
Actually I wasn't suggesting that it is a bug,
A core dump is a bug. The files I suggested you read contain instructions that help us fix the bug.
my inital question is how one can use that CA_path directive and what the CA_path should contain . If it's a bug, then I should rather update my freeradius-2.0.3-3.el5 to 2.1.1 or so ?
I would suggest trying that.
but I'am surprise to be the only one having that problem . indeed I do have a /usr/share/doc/freeradius-2.0.3 directory containing docs but nothing on the CA_path directive, neither in bugs,ChangeLog,rlm_eap or any other file.
How about eap.conf? The CA path is a path to a directory containing certs and CRL's. This is *documented* in eap.conf.
My initial question is: "how to configure eap.conf tls section to load a multi-level certificate hierarchy (CA bundle)" ?
Include the certificates in the CA_path directory. Alan DeKok.
OK, I found why it cored-dump. I though that CA_file and CA_path needed to be set seperatly. so when setting CA_path I was commenting CA_file . Now that both CA_file and CA_path directives are present in eap.conf, it doesn't core-dump anymore. Anyway, I found my real problem. It's from securew2 windows EAP-TTLs client it doesn't support certificate above 2048 bits, and our 3 level CA chain is composed of 3x4096bits CA certificate. So securew2 was complaining about a wrong certificate from freeradius, beacause it could'nt read such a "large" bundle. dixit securew2 mailing-list : Tom Rixom wrote:
At the moment sw2 supports certificate file sizes up to 2048. This will be upped in the next release candidate. As soon as we have a release candidate (hopefully end of this month) you can test it. we are waiting for a securew2 new release to validate that .
Alan DeKok wrote:
Jehan PROCACCIA wrote:
Actually I wasn't suggesting that it is a bug,
A core dump is a bug. The files I suggested you read contain instructions that help us fix the bug.
my inital question is how one can use that CA_path directive and what the CA_path should contain . If it's a bug, then I should rather update my freeradius-2.0.3-3.el5 to 2.1.1 or so ?
I would suggest trying that.
but I'am surprise to be the only one having that problem . indeed I do have a /usr/share/doc/freeradius-2.0.3 directory containing docs but nothing on the CA_path directive, neither in bugs,ChangeLog,rlm_eap or any other file.
How about eap.conf? The CA path is a path to a directory containing certs and CRL's. This is *documented* in eap.conf.
My initial question is: "how to configure eap.conf tls section to load a multi-level certificate hierarchy (CA bundle)" ?
Include the certificates in the CA_path directory.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Jehan PROCACCIA -
jehan procaccia -
tnt@kalik.net