HUP stops radiusd
Alan DeKok
aland at deployingradius.com
Mon May 14 22:56:40 CEST 2007
John Horne wrote:
...
> In our case, using freeradius 1.1.6, if I HUP the radiusd process it
> crashes/stops. Running 'radiusd -X', the tail part shows:
...
> Mon May 14 13:38:54 2007 : Error: radiusd.conf[230] Auth-Type PAP
> already configured - skipping
> Mon May 14 13:38:54 2007 : Error: radiusd.conf[234] Auth-Type MS-CHAP
> already configured - skipping
Those errors can be suppressed. It's probably worth doing.
> Mon May 14 13:38:54 2007 : Info: rlm_eap_tls: Loading the certificate
> file as a chain
> Mon May 14 13:38:54 2007 : Error: rlm_eap: SSL error error:0906D06C:PEM
> routines:PEM_read_bio:no start line
Ah.... I think what's happening is that OpenSSL is caching the file
from the last time it was read. So the server starts, and reads 1
certificate from the file. OpenSSL leaves the file open, or remembers
where it left off. When FreeRADIUS asks OpenSSL to read the file again,
OpenSSL continues from where it left off, rather than starting from the
beginning of the file.
That's not nice. And it's not documented as doing that. But I
suspect it would work.
A simple test would be to do the following:
1) put two copies of the certificate into the file, one after the other.
2) start the server and verify it works
3) HUP the server, and verify that it correctly loads the certificate
4) HUP the server again, and see that it complains.
If you do that, and it works like I outlined, then I would argue that
it's a bug in OpenSSL. FreeRADIUS calls SSL_new() to initialize
OpenSSL, and SSL_free() to clean up after itself. But I'd bet that
OpenSSL does *not* return to it's initial state after calling
SSL_free(). Instead, it keeps some things cached...
Knowing the explanation is nice, but I'm not sure how this lets us fix
the problem.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list