TLS failures in freeradius 3.0.12

Anirudh Malhotra 8zero2ops at gmail.com
Thu Apr 14 06:16:51 CEST 2016 

Use openssl instead of moz nss

BR,
Anirudh Malhotra
8zero2
Mail: 8zero2.in at gmail.com
Facebook: www.facebook.com/8zero2
Twitter: @8zero2_in
Blog: blog.8zero2.in

On 14 Apr 2016, 08:51 +0530, Andrew Daviel<advax at triumf.ca>, wrote:
> 
> We have been running 3.0.4 on CentOS, authenticating against
> openldap 2.3.43 on Centos 5. That seemed to work reliably, but we needed
> functionality only available in 3.0.11.
> 
> I build 3.0.12 as an RPM on CentOS 6 using the 3.0.12 tarball from
> github and the 3.0.4 specfile as a template, so that the same
> directories and settings were used as for 3.0.4.
> 
> We are using ldap on port 389 with start_tls
> The client certificate is loaded from a PEM file in /etc/raddb/certs/
> The server certificate is loaded from the NSS database
> /etc/raddb/certs/cert8.db
> 
> Initially after radiusd is started, authentication works properly.
> We see in debug output
> ...
> (1) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> ...
> rlm_ldap (ldap): Opening additional connection (6), 1 of 30 pending slots used
> rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
> TLS: certificate '/etc/raddb/certs/xxx' successfully loaded from moznss database.
> rlm_ldap (ldap): Bind successful
> ..(1) Sent Access-Accept Id 170
> 
> after running for a bit, with the same radius client request, we get
> 
> TLS: could not shutdown NSS - error -8053:NSS could not shutdown.
> Objects are still in use..
> rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase
> "spare"
> rlm_ldap (ldap): Opening additional connection (7), 1 of 32 pending
> slots used
> rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
> TLS: could not initialize moznss - error -8018:Unknown PKCS #11 error..
> TLS: could not perform TLS system initialization.
> TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error.
> TLS: can't create ssl handle.
> rlm_ldap (ldap): Could not start TLS: Connect error
> ... (2) Sent Access-Reject Id 217
> 
> 
> On the openldap server in debug mode, I get an error
> TLS trace: SSL3 alert read:warning:close notify
> ldap_read: want=8, got=0
> 
> 
> Any ideas ?
> The openldap logs are somewhat cryptic
> 
> 
> --
> Andrew Daviel, TRIUMF, Canada
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list