Radsec with TLS-PSK

Salman Ahmed salman.isd at gmail.com
Fri Mar 17 12:43:15 CET 2017


Hello,

I have tested FR(3_0_11) with Radius over TLS locally with certificates and
its working fine...But when I disable certificates and try with psk id/key
i run into
" tls: TLS Server requires a private key file"
error.

in tls_server_conf_parse function in tls.c ,I see the check for
conf->private_key_file and certificate_file existence is done before the
verification of psk values. Setting these files results in

"tls: When PSKs are used, No certificate configuration is permitted"

Is there something I'm missing?

listen {
    type = auth
    ipaddr =127.0.0.1
    port = 4124
    proto = tcp
    clients = radsec

    tls {
        #private_key_password = whatever
        #private_key_file = ${confdir}/server.pem
        #certificate_file = ${confdir}/server.pem
        psk_identity = "bob"
        psk_hexphrase = "9aae97122ccf629de0bf73e688f57295"
        #psk_query = "%{psksql:select hex(key) from psk_keys where keyid =
'%{TLS-PSK-Identity}'}"
        #require_client_cert = no
        cipher_list = "DEFAULT"
    }

}

authorize {
    files
    pap
}

authenticate {
    Auth-Type PAP {
        pap
    }
}

thread pool {
    start_servers = 5
    max_servers = 32
    min_spare_servers = 3
    max_spare_servers = 10
    max_requests_per_server = 0
    auto_limit_acct = no
}

clients radsec {
    client 127.0.0.1 {
        ipaddr = 127.0.0.1
        proto = tls
    }
}


More information about the Freeradius-Devel mailing list