freeradius problem - ephemeral RSA key generation
Kapetanakis Giannis
bilias at edu.physics.uoc.gr
Wed Dec 31 10:01:24 CET 2014
Hi,
I had a specific problem running freeradius 2.2.5/2.2.6 in OpenBSD.
rlm_eap_tls: Couldn't set ephemeral RSA key
rlm_eap: Failed to initialize type tls
/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
After playing around with the source I've managed to make it work by doing:
--- ./src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c Tue Nov 18 21:56:52 2014
+++ /root/rlm_eap_tls.c Wed Dec 31 10:55:43 2014
@@ -203,10 +203,16 @@
RSA *rsa;
rsa = RSA_generate_key(512, RSA_F4, NULL, NULL);
-
- if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
- radlog(L_ERR, "rlm_eap_tls: Couldn't set ephemeral RSA key");
+ if (rsa == NULL) {
+ radlog(L_ERR, "rlm_eap_tls: Couldn't generate RSA key");
return -1;
+ }
+
+ if (SSL_CTX_need_tmp_RSA(ctx)) {
+ if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
+ radlog(L_ERR, "rlm_eap_tls: Couldn't set ephemeral RSA key");
+ return -1;
+ }
}
RSA_free(rsa);
Maybe a check for SSL_CTX_need_tmp_RSA should be added before calling SSL_CTX_set_tmp_rsa?
You can also read the relevant thread in OpenBSD mailing list here
http://marc.info/?l=openbsd-misc&m=141996016020120&w=2
thanks for any comments on this,
Giannis
-------- Forwarded Message --------
Subject: Re: freeradius problem - ephemeral RSA key generation
Date: Wed, 31 Dec 2014 10:39:17 +0200
To: misc at openbsd.org
On 31/12/14 04:37, Joel Sing wrote:
> On Wednesday 31 December 2014, Kapetanakis Giannis wrote:
>> Hi,
>>
>> After upgrading to latest snapshot I have problems with freeradius 2.2.5
>> package not starting.
>>
>> Especially the problem occurs in loading of module eap-tls
>>
>> rlm_eap_tls: Couldn't set ephemeral RSA key
>> rlm_eap: Failed to initialize type tls
>> /etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
>>
>> I've tried installing version 2.2.6 but I have the same problem.
>>
>> The program fails at:
>> src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
>>
>> /*
>> * Generate ephemeral RSA keys.
>> */
>> static int generate_eph_rsa_key(SSL_CTX *ctx)
>> {
>> RSA *rsa;
>>
>> rsa = RSA_generate_key(512, RSA_F4, NULL, NULL);
>>
>> if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
>> radlog(L_ERR, "rlm_eap_tls: Couldn't set ephemeral RSA key");
>> return -1;
>> }
>>
>> RSA_free(rsa);
>> return 0;
>> }
>>
>> is this related to freeradius or something with OpenBSD ssl libraries?
> Support for ephemeral RSA keys was removed from LibreSSL, since it should only
> be needed for export ciphers (no longer supported) or otherwise violating
> RFCs (as at first glance FreeRADIUS appears to do above).
>
> Since you're already looking at the code, does it set SSL_OP_EPHEMERAL_RSA
> anywhere? If not, the above function is probably a noop. At the very least it
> is likely buggy since they are supposed to call SSL_CTX_need_tmp_RSA() to see
> if the temporary RSA key should be set, before calling SSL_CTX_set_tmp_rsa().
>
Well I've already made it working last night by adding a check
for SSL_CTX_need_tmp_RSA before calling SSL_CTX_set_tmp_rsa
So if I get it right, since I'm using HIGH ciphersuite I will never need
an ephemeral RSA key correct?
Is there a case were that SSL_CTX_need_tmp_RSA() will be true?
SSL_OP_EPHEMERAL_RSA is not defined anywhere.
G
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141231/8f3ab486/attachment-0001.html>
More information about the Freeradius-Users
mailing list