(RADIATOR) Sending server certificate chain
Jan Tomasek
jan at tomasek.cz
Wed Feb 20 03:13:52 CST 2008
Hi Mike,
> We have now added support for EAPTLS_CertificateChainFile wherever
> EAPTLS_CertificateFile is supported, and added support for
> TLS_CertificateChainFile wherever TLS_CertificateFile is supported. The
> ChainFile parameter specifies the name of a file containing a certificate
> chain for the Radius server certificate, with similar behaviour to
> SSLCertificateChainFile in Apach mod_ssl.
Thanks for patch. I can't get that working, my config:
<Handler Realm=/^etest\.cesnet\.cz$/i>
AuthBy CheckFILE
AuthLog authlogger
</Realm>
<AuthBy FILE>
Identifier CheckFILE
Filename /etc/radiator/user_accounts
EAPType MSCHAP-V2,LEAP,PEAP,TTLS,TLS,MD5,MD5-Challenge
EAPTLS_CAPath /etc/ssl/certs
EAPTLS_CertificateFile /etc/ssl/certs/publikace.cesnet.cz.crt.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile /etc/ssl/private/publikace.cesnet.cz.key.pem
EAPTLS_MaxFragmentSize 1000
EAPTLS_CertificateChainFile /etc/ssl/certs/sureserverEDU.pem
AutoMPPEKeys
EAPTLS_PEAPVersion 0
SSLeayTrace 1
AddToReplyIfNotExist Tunnel-Private-Group-ID=1:100
AddToReply Tunnel-Type=1:VLAN,\
Tunnel-Medium-Type=1:Ether_802
</AuthBy>
when request arives Radiator Trace4 prints:
> Wed Feb 20 10:06:01 2008: DEBUG: Handling request with Handler 'Realm=/^etest\.cesnet\.cz$/i'
> Wed Feb 20 10:06:01 2008: DEBUG: Deleting session for semik at etest.cesnet.cz, 195.113.205.147, 29
> Wed Feb 20 10:06:01 2008: DEBUG: Handling with Radius::AuthFILE: CheckFILE
> Wed Feb 20 10:06:01 2008: DEBUG: Handling with EAP: code 2, 2, 6, 3
> Wed Feb 20 10:06:01 2008: DEBUG: Response type 3
> Wed Feb 20 10:06:01 2008: INFO: EAP Nak desires type 25
> Wed Feb 20 10:06:01 2008: ERR: TLS could not use_certificate_chain_file "/etc/ssl/certs/sureserverEDU.pem": 14378: 1 - error:02001002:system library:fopen:No such file or directory
> 14378: 2 - error:20074002:BIO routines:FILE_CTRL:system lib
>
> Wed Feb 20 10:06:01 2008: ERR: /etc/ssl/certs/sureserverEDU.pem
> Wed Feb 20 10:06:01 2008: DEBUG: EAP result: 1, EAP TLS Could not initialise context
> Wed Feb 20 10:06:01 2008: DEBUG: AuthBy FILE result: REJECT, EAP TLS Could not initialise context
> Wed Feb 20 10:06:01 2008: INFO: Access rejected for semik at etest.cesnet.cz: EAP TLS Could not initialise context
I modified TLS.pm:
> $parent->log($main::LOG_ERR, "TLS could not use_certificate_chain_file \"$parent->{EAPTLS_CertificateChainFile}\": $errs");
> $parent->log($main::LOG_ERR, Radius::Util::format_special($parent->{EAPTLS_CertificateChainFile}));
to be sure there is no aditional space or some other crazy error.
File exists:
> radius:/etc/ssl/certs# ls -l /etc/ssl/certs/sureserverEDU.pem
> -rw-r--r-- 1 root root 1562 2006-03-15 13:25 /etc/ssl/certs/sureserverEDU.pem
and is valid:
> radius:/etc/ssl/certs# openssl x509 -noout -text < /etc/ssl/certs/sureserverEDU.pem
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 67109883 (0x40003fb)
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=US, O=GTE Corporation, OU=GTE CyberTrust Solutions, Inc., CN=GTE CyberTrust Global Root
> Validity
> Not Before: Mar 14 20:30:00 2006 GMT
> Not After : Mar 14 23:59:00 2013 GMT
> Subject: C=BE, O=Cybertrust, OU=Educational CA, CN=Cybertrust Educational CA
And even worse, radiusd is reading it (output of strace):
> 14383 open("/etc/ssl/certs/sureserverEDU.pem", O_RDONLY|O_LARGEFILE) = 7
> 14383 fstat64(7, {st_mode=S_IFREG|0644, st_size=1562, ...}) = 0
> 14383 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7c21000
> 14383 read(7, "-----BEGIN CERTIFICATE-----\r\nMII"..., 4096) = 1562
> 14383 close(7) = 0
I've no further idea where bug might be. Any idea? Please help :)
--
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list