Migrating to a new server from 2.x to 3.0.4 CentOS 7
Kris Armstrong
kris.armstrong at me.com
Thu Jul 2 00:53:48 CEST 2015
I was able to upgrade to V3.0.8 however it won’t start
Debugger not attached
Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 0x1000105f (1.0.1e release) (in range 1.0.1 dev - 1.0.1f release)
Security advisory CVE-2014-0160 (Heartbleed)
For more information see http://heartbleed.com
Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2014-0160'
[root at freeradius freeradius-server-3.0.8]# yum upgrade
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: repos.dfw.quadranet.com
* extras: dallas.tx.mirror.xygenhosting.com
* updates: centos.host-engine.com
No packages marked for update
[root at freeradius freeradius-server-3.0.8]# openssl version
OpenSSL 1.0.2c 12 Jun 2015
[root at freeradius freeradius-server-3.0.8]#
> On Jul 1, 2015, at 4:19 PM, Kris Armstrong <kris.armstrong at me.com> wrote:
>
> This is the only CA that is required for the client cert
>
> ca_file = ${cadir}/fnetCerts/CA/pem/2048ca.pem
> I have commented out the others as they are have no ties to my client ca
>
>
>> On Jul 1, 2015, at 4:05 PM, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>>
>>
>>> On 1 Jul 2015, at 17:46, Kris Armstrong <kris.armstrong at me.com> wrote:
>>>
>>> There are no intermediate its a single Root CA and it is set
>>>
>>> My EAP file TLS Section
>>>
>>> I’ve commented out all but 2048ca.pem my client.pem is signed by but no difference.
>>>
>>> ca_file = ${cadir}/ca.pem
>>>
>>> # Customer CA Files:
>>> ca_file = ${cadir}/00374255/root_ca.pem
>>>
>>> # FNET CA Files:
>>> ca_file = ${cadir}/fnetCerts/CA/pem/512ca.pem
>>> ca_file = ${cadir}/fnetCerts/CA/pem/768ca.pem
>>> ca_file = ${cadir}/fnetCerts/CA/pem/1024ca.pem
>>> ca_file = ${cadir}/fnetCerts/CA/pem/1280ca.pem
>>> ca_file = ${cadir}/fnetCerts/CA/pem/1536ca.pem
>>> ca_file = ${cadir}/fnetCerts/CA/pem/1792ca.pem
>>> ca_file = ${cadir}/fnetCerts/CA/pem/2048ca.pem
>>> ca_file = ${cadir}/fnetCerts/CA/pem/4096ca.pem
>>> ca_file = ${cadir}/fnetCerts/CA/pem/2048ca.pem
>>
>> Um, no, that's not how you configure them.
>>
>> You need to concatenate them all the CAs into the same file, as I said before. Or use the ca_path config item and specify a directory that holds the Ca files.
>>
>> You for 3.0.8 need to install the openssl-devel rpm to build from source.
>>
>> Could you provide your config.log so we can try and fix it to produce a more user friendly error.
>>
>> -Arran
>>
>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>> FreeRADIUS development team
>>
>> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list