Defining trusted root ca for ldaps server cert validation

Thu May 4 22:20:38 CEST 2017

On May 4, 2017, at 3:51 PM, Philipp Trenz <mail at philipptrenz.de> wrote:
> I’m searching where to define the trusted root ca for validation of the SSL certificate on ldaps connections (FR 3.0.12 with CentOS 7).

  Read raddb/mods-available/ldap.  Look for the "tls" section.

> I added the root ca to the system

  FreeRADIUS doesn't look in any "system" for CA certificates.

> and tested ldaps connection with 'openssl s_client -connect my_ldap_server_IP:636 -CApath /etc/pki/tls/certs‘ and it returns 'Verify return code: 19 (self signed certificate in certificate chain)‘.
> Then I tested the trusted root ca’s at the system to be sure the correct ca’s are there with ...
> 
> awk -v cmd='openssl x509 -noout -subject' \
>      '/BEGIN/{close(cmd)};{print | cmd}' \
> < /etc/pki/tls/certs/ca-bundle.crt
> 
> … and the CA is listed. Am I doing something wrong or is it a OpenSSL issue? Do I have to (or is it possible to) define the trusted root ca within Freeradius?
> 
> I also didn’t quite understand what the tls section in mods-enabled/ldap is for.

  It's for configuring the trusted root CA for validation of the SSL certificate on ldaps connections.

> As far as I know ldap clients don’t need a client certificate except the LDAP configuration requires it.

  The LDAP module configuration *allows* for a client certificate.

  And "ldap clients don’t need a client certificate" is irrelevant.  If you're connecting over TLS to anything, you should be able to use client certificates.  That's how TLS works.  It's independent of the protocol *inside* of the TLS session.

> And in my case it isn’t. When I let ‚ca_file‘ point to my root ca, i get the following:
> 
> TLS: could not add the certificate '/usr/local/etc/raddb/certs/cacert.crt' - error -8018:Unknown PKCS #11 error..
> TLS: /usr/local/etc/raddb/certs/cacert.crt is not a valid CA certificate file - error -8018:Unknown PKCS #11 error..

  Well, that seems clear.

> TLS: could not perform TLS system initialization.
> TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error.
> TLS: can't create ssl handle.
> 
> I have to admit I’m not practiced with PKI.

  You need to use a CA certificate.

  So... where did you get that cert?

  And if you're using CentOS, you may very well be using the RH version of the LDAP client library, which is compiled with NSS.  And that is *very* incompatible with FreeRADIUS.

  FreeRADIUS uses OpenSSL, and NSS has a (sort of) wrapper for OpenSSL functions.  Which means that using the both libraries in the same application is a recipe for disaster.  It just won't work.

  You'll either have to use just plain LDAP, or re-build the LDAP client libraries to use OpenSSL.

  Alan DEKok.