Unable to use freeradius 3.0.26 with openssl 3.0
Hi, I am using Freeradius version 3.0.26 for a basic authentication, My system is upgraded from Openssl 1.0.2 to 3.0.4 version and after this the authentication is failing because server is rejecting the incoming request with following message. Dropping packet without response because of error: Received packet from 10.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.) This must be happening, because MD5 is deprecated in openssl3.0 which is used by Freeradius for calculating Message-Authenticator attribute. I could see in release notes of 3.0.26, openssl 3.0 and tls1.3 support is added. i need help with the below line from release notes. *Add configure-time FIPS workaround to use internal MD4/MD5 implementations when disabled in OpenSSL.* I believe this workaround is the solution to my problem, can you please help me in what exactly needs to be done for this workaround. Thanks & Regards, Amit
On Jan 20, 2025, at 2:38 AM, Amit P <amit.subscription@gmail.com> wrote:
I am using Freeradius version 3.0.26 for a basic authentication, My system is upgraded from Openssl 1.0.2 to 3.0.4 version
You can't upgrade OpenSSL across major versions, and expect that the same FreeRADIUS package will continue to work. FreeRADIUS has to be built against the correct version of OpenSSL. We have pre-built packages for most Linux distributions on our web site: https://packages.inkbridgenetworks.com/ These packages are built with OpenSSL 3. Alan DeKok.
Hi Alan, Thanks for your response. As per 3.0.26 release notes ( https://www.freeradius.org/release_notes/?s=3.0.26) OpenSSL3 support is available in this version. *Feature Improvements* - Add support for OpenSSL3. - Support PEAP and TTLS with TLS 1.3. This has been tested with wpa_supplicant and Windows 11. - Add configure-time FIPS workaround to use internal MD4/MD5 implementations when disabled in OpenSSL. I am building Freeradius using below Yocto recipe, so it should pick the system's OpenSSL version where it is being compiled. https://git.openembedded.org/meta-openembedded/tree/meta-networking/recipes-... Are you saying we can't use Freeradius 3.0.26 package with OpenSSL3.0. Please let me know if I am missing anything. Thanks & Regards, Amit On Mon, Jan 20, 2025 at 6:24 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 20, 2025, at 2:38 AM, Amit P <amit.subscription@gmail.com> wrote:
I am using Freeradius version 3.0.26 for a basic authentication, My system is upgraded from Openssl 1.0.2 to 3.0.4 version
You can't upgrade OpenSSL across major versions, and expect that the same FreeRADIUS package will continue to work.
FreeRADIUS has to be built against the correct version of OpenSSL. We have pre-built packages for most Linux distributions on our web site:
https://packages.inkbridgenetworks.com/
These packages are built with OpenSSL 3.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 20, 2025, at 12:38 PM, Amit P <amit.subscription@gmail.com> wrote:
Thanks for your response. As per 3.0.26 release notes ( https://www.freeradius.org/release_notes/?s=3.0.26) OpenSSL3 support is available in this version.
Yes, you don't need to quote that to me. I already agreed that it supported OpenSSL3. Please read the message you're replying to. I said that you had to build the server using OpenSSL3. If you're already running a copy with OpenSSL1... then it was built against OpenSSL1, and not OpenSSL3. You can't just upgrade the OpenSSL libraries, and expect a pre-built binary of FreeRADIUS to be OK with that.
I am building Freeradius using below Yocto recipe, so it should pick the system's OpenSSL version where it is being compiled. https://git.openembedded.org/meta-openembedded/tree/meta-networking/recipes-...
Ask Yocto how their recipes work, and why it's not picking OpenSSL3. I didn't write those recipes, and I know nothing about them. When you build the server from source (not using some broken third-party tools), it will pick OpenSSL3 if OpenSSL3 is installed.
Are you saying we can't use Freeradius 3.0.26 package with OpenSSL3.0.
I didn't say that. Please read my messages. They are very clear. When I say "build FreeRADIUS using OpenSSL3", I don't mean "you can't build FreeRADIUS with OpenSSL3". Alan DeKok.
On Tue, Jan 21, 2025 at 12:38 AM Amit P <amit.subscription@gmail.com> wrote:
Are you saying we can't use Freeradius 3.0.26 package with OpenSSL3.0.
As a fellow user, I can't comment on that since I haven't tested it myself.
Please let me know if I am missing anything.
I would, however, ask why you're using that combination. You might have better luck: - use packages provided by freeradius (which Alan linked). or - using distro-provided packages. or - using libraries provided by the distro, and compile your own latest version (should be 3.2.6) If you somehow end up with "I'm stuck with openssl 3.0 from the OS/distro, but need freeradius 3.0 because my old server runs that version". I suggest take a look at docker: https://hub.docker.com/r/freeradius/freeradius-server (if you're new to docker, in this context it allows an app to have it's own libraries / dependencies, separate from the OS) -- Fajar
As far as I can see in the recipe (never used them tbh), it uses openssl include and lib dirs from system, because the recipe does not override the defaults: STAGING_INCDIR: Specifies the path to the /usr/include subdirectory of the sysroot directory for the target for which the current recipe being built (STAGING_DIR_HOST). STAGING_LIBDIR: Specifies the path to the /usr/lib subdirectory of the sysroot directory for the target for which the current recipe is being built (STAGING_DIR_HOST). So it links against the openssl dev libraries installed on the build host. More info in the yocto docu: https://docs.yoctoproject.org/dev-manual/new-recipe.html#compilation Ludo On 20. 1. 2025 18:38, Amit P wrote:
Hi Alan,
Thanks for your response. As per 3.0.26 release notes ( https://www.freeradius.org/release_notes/?s=3.0.26) OpenSSL3 support is available in this version.
*Feature Improvements*
- Add support for OpenSSL3. - Support PEAP and TTLS with TLS 1.3. This has been tested with wpa_supplicant and Windows 11. - Add configure-time FIPS workaround to use internal MD4/MD5 implementations when disabled in OpenSSL.
I am building Freeradius using below Yocto recipe, so it should pick the system's OpenSSL version where it is being compiled. https://git.openembedded.org/meta-openembedded/tree/meta-networking/recipes-...
Are you saying we can't use Freeradius 3.0.26 package with OpenSSL3.0. Please let me know if I am missing anything.
Thanks & Regards, Amit
On Mon, Jan 20, 2025 at 6:24 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 20, 2025, at 2:38 AM, Amit P <amit.subscription@gmail.com> wrote:
I am using Freeradius version 3.0.26 for a basic authentication, My system is upgraded from Openssl 1.0.2 to 3.0.4 version
You can't upgrade OpenSSL across major versions, and expect that the same FreeRADIUS package will continue to work.
FreeRADIUS has to be built against the correct version of OpenSSL. We have pre-built packages for most Linux distributions on our web site:
https://packages.inkbridgenetworks.com/
These packages are built with OpenSSL 3.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Ľudovít Mikula Mikori s.r.o ------------------------ Fatranská 3100/4 01008 Žilina Slovenská Republika ------------------------ ... aby korenie chutilo, ako má ... ------------------------ Web: https://www.mikori.sk/ E-Shop: https://www.cerstvekorenie.sk/ E-mail: ludovit.mikula@mikori.sk Facebook: https://www.facebook.com/mikori.korenie/
On Jan 22, 2025, at 6:15 AM, Ľudovít Mikula <ludovit.mikula@mikori.sk> wrote:
As far as I can see in the recipe (never used them tbh), it uses openssl include and lib dirs from system, because the recipe does not override the defaults:
<shrug> Debug it, or ask the yocto project how the recipes work. Again, we don't write those recipes, and we know nothing about them, The normal build works. And is documented. Why not use it? Alan DeKok.
Thanks for your responses. My issue is resolved now. I used "--enable-fips-workaround" option during ./configure time and built freeradius. It started working fine. Regards, Amit On Wed, Jan 22, 2025 at 7:40 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 22, 2025, at 6:15 AM, Ľudovít Mikula <ludovit.mikula@mikori.sk> wrote:
As far as I can see in the recipe (never used them tbh), it uses openssl
include and lib dirs from system, because the recipe does not override the defaults:
<shrug> Debug it, or ask the yocto project how the recipes work.
Again, we don't write those recipes, and we know nothing about them, The normal build works. And is documented. Why not use it?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Amit P -
Fajar Nugraha -
Ľudovít Mikula