Freeradius TLS - SSL context error
murugesh pitchaiah
murugesh.pitchaiah at gmail.com
Thu Oct 22 13:55:10 CEST 2020
Hi,
When I try to enable tls in the sites-enabled, see below error on
'radiusd debug -X'
Failed creating SSL context: error:140A90A1:lib(20):func(169):reason(161)
[root at server raddb]# openssl errstr 0x140A90A1
error:140A90A1:SSL routines:SSL_CTX_new:library has no ciphers
[root at server raddb]#
Here is the tls configuration i have:
tls {
rsa_key_exchange = yes
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = KeyFile
certificate_file = CertFile
ca_file = CAFile
fragment_size = 8192
include_length = yes
check_crl = no
cipher_list =
"AES128-SHA:AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256"
ecdh_curve = "prime256v1"
}
Could anybody share any light on this ? Ciphers are set as can be seen
above. I could not find whats missing, causing this SSL error.
Thanks in advance.
Regards,
Murugesh P.
Complete log:
[root at server231 raddb]# radiusd debug -fxx -l stdout
radiusd: FreeRADIUS Version 3.0.3, for host i686-redhat-linux-gnu,
built on Jun 3 2014 at 12:38:34
Copyright (C) 1999-2014 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/raddb/dictionary
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/mods-enabled/
including configuration file /etc/raddb/mods-enabled/realm
including configuration file /etc/raddb/mods-enabled/dhcp
including configuration file /etc/raddb/mods-enabled/unpack
including configuration file /etc/raddb/mods-enabled/digest
including configuration file /etc/raddb/mods-enabled/sradutmp
including configuration file /etc/raddb/mods-enabled/echo
including configuration file /etc/raddb/mods-enabled/always
including configuration file /etc/raddb/mods-enabled/unix
including configuration file /etc/raddb/mods-enabled/expiration
including configuration file /etc/raddb/mods-enabled/detail
including configuration file /etc/raddb/mods-enabled/passwd
including configuration file /etc/raddb/mods-enabled/files
including configuration file /etc/raddb/mods-enabled/soh
including configuration file /etc/raddb/mods-enabled/dynamic_clients
including configuration file /etc/raddb/mods-enabled/preprocess
including configuration file /etc/raddb/mods-enabled/sql
including configuration file /etc/raddb/mods-config/sql/main/mysql/queries.conf
including configuration file /etc/raddb/mods-enabled/chap
including configuration file /etc/raddb/mods-enabled/utf8
including configuration file /etc/raddb/mods-enabled/replicate
including configuration file /etc/raddb/mods-enabled/exec
including configuration file /etc/raddb/mods-enabled/linelog
including configuration file /etc/raddb/mods-enabled/logintime
including configuration file /etc/raddb/mods-enabled/ntlm_auth
including configuration file /etc/raddb/mods-enabled/attr_filter
including configuration file /etc/raddb/mods-enabled/cache_eap
including configuration file /etc/raddb/mods-enabled/expr
including configuration file /etc/raddb/mods-enabled/eap
including configuration file /etc/raddb/mods-enabled/radutmp
including configuration file /etc/raddb/mods-enabled/pap
including configuration file /etc/raddb/mods-enabled/detail.log
including configuration file /etc/raddb/mods-enabled/mschap
including files in directory /etc/raddb/policy.d/
including configuration file /etc/raddb/policy.d/dhcp
including configuration file /etc/raddb/policy.d/filter
including configuration file /etc/raddb/policy.d/accounting
including configuration file /etc/raddb/policy.d/operator-name
including configuration file /etc/raddb/policy.d/control
including configuration file /etc/raddb/policy.d/canonicalization
including configuration file /etc/raddb/policy.d/eap
including configuration file /etc/raddb/policy.d/cui
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/tls
including configuration file /etc/raddb/sites-enabled/inner-tunnel
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
allow_vulnerable_openssl = "CVE-2014-0160"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = <<< secret >>>
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
revive_interval = 120
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
home_server tls {
ipaddr = 127.0.0.1
port = 2083
type = "auth"
proto = "tcp"
secret = <<< secret >>>
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = "none"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
revive_interval = 300
status_check_timeout = 4
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
limit {
max_connections = 16
max_requests = 0
lifetime = 0
idle_timeout = 0
}
}
tls {
rsa_key_exchange = yes
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = KeyFile
certificate_file = CertFile
ca_file = CAFile
fragment_size = 8192
include_length = yes
check_crl = no
cipher_list =
"AES128-SHA:AES128-SHA256:AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256"
ecdh_curve = "prime256v1"
}
Failed creating SSL context: error:140A90A1:lib(20):func(169):reason(161)
[root at server raddb]#
More information about the Freeradius-Users
mailing list