EAP-TLS with CRLs broken on RHEL 8.8

Fraser Hess fraser.hess at pinnacol.com
Mon Nov 13 21:14:50 UTC 2023 

We have a working FreeRADIUS implementation. It is configured for EAP-TLS.
Our production systems use stock rpms for FreeRADIUS and OpenSSL on CentOS
7.9. Current RPMs: freeradius-3.0.13-15.el7.x86_64 and
openssl-1.0.2k-26.el7_9.x86_64

We are moving to Red Hat Enterprise Linux 8.8. We built a test system from
scratch, installed our RADIUS config and our tests failed. The RPMs in RHEL
8.8 are: freeradius-3.0.20-14.module+el8.8.0+17558+3f8a93b9.x86_64 and
openssl-1.1.1k-9.el8_7.x86_64

The failure occurs in CRL checking. With check_crl = yes and check_all_crl
= yes, FreeRADIUS is unable to find our root CA's CRL to validate the
intermediate CA. Setting either check_crl or check_all_crl to no resolves
the issue.

(8) eap_tls: TLS-Cert-Serial := "XXX"
(8) eap_tls: TLS-Cert-Expiration := "250901211201Z"
(8) eap_tls: TLS-Cert-Subject := "/C=US/O=Organization/CN=Organization
Intermediate CA"
(8) eap_tls: TLS-Cert-Issuer := "/C=US/O=Organization/CN=Organization Root
CA"
(8) eap_tls: TLS-Cert-Common-Name := "Organization Intermediate CA"
(8) eap_tls: ERROR: SSL says error 3 : unable to get certificate CRL
(8) eap_tls: >>> send TLS 1.2 [length 0002]
(8) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
tls: TLS_accept: Error in error
(8) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
(8) eap_tls: ERROR: System call (I/O) error (-1)
(8) eap_tls: ERROR: TLS receive handshake failed during operation
(8) eap_tls: ERROR: [eaptls process] = fail
(8) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module
failed

Checking the leaf certificate against the intermediate CA appears to work.
All of the certificates in /etc/raddb/certs have the correct hashed
symlinks.

We have tried setting tls_min_version = 1.2 and auto_chain = no, adding the
intermediate CA certificate to the certificate_file. The same error results.

I can break our production servers in the same manner by removing the hash
symlink to the root CA's CRL file. In our test system, it's as if the hash
symlink doesn't exist. The permissions on the files are correct - radiusd
can read them all.

Thank you for any help/suggestions

Fraser Hess
Workstation Engineer
Pinnacol Assurance

-- 
This communication and any attachments are for the sole use of the intended 
recipient and may contain confidential and privileged information. Any 
unauthorized review, use, disclosure, or distribution is prohibited. If you 
have received this communication in error, please notify us immediately by 
replying to this message and deleting it from your computer.

More information about the Freeradius-Users mailing list