[RADIATOR] does OpenSSL 0.9.8n need patched for use with EAP-FAST?
Jim Veneskey
jvene at cisco.com
Wed Mar 30 09:49:56 CDT 2011
Hi,
yes - I was missing HMAC_SHA1 - good call...
Fixing that issue - resulted in these messages:
> Wed Mar 30 10:34:50 2011: DEBUG: EAP result: 1, EAP-FAST Requires
> Net::SSLeay::set_session_secret_cb. Upgrade or patch your OpenSSL
> and/or Net-SSLeay
> Wed Mar 30 10:34:50 2011: DEBUG: AuthBy FILE result: REJECT, EAP-FAST
> Requires Net::SSLeay::set_session_secret_cb. Upgrade or patch your
> OpenSSL and/or Net-SSLeay
> Wed Mar 30 10:34:50 2011: INFO: Access rejected for anonymous:
> EAP-FAST Requires Net::SSLeay::set_session_secret_cb. Upgrade or patch
> your OpenSSL and/or Net-SSLeay
> Wed Mar 30 10:34:50 2011: DEBUG: Packet dump:
Which implies that the version of openssl I was using - 0.9.8n was not
good enough.
Just for fun - I upgraded openssl to the latest release:
> openssl version
> OpenSSL 1.0.0d 8 Feb 2011
And that also resulted in the messages shown above.
So - since I already had Net_SSLeay.pm-1.30 installed, my next step
looks to be downgrading OpenSSL to a supported version.
My question is - is there a preferred version out of the following four
that I should downgrade to?
> openssl-0.9.8d-session-ticket-osc.patch
> openssl-0.9.8e-session-ticket-osc.patch
> openssl-0.9.8i-tls-extensions.patch
> openssl-0.9.9-session-ticket.patch
Thanks!
Jim
On 3/30/11 9:28 AM, Heikki Vatiainen wrote:
> On 03/30/2011 03:38 PM, Jim Veneskey wrote:
>
>> Does 0.9.8n contain the patches already that are required for EAP-FAST?
>> If not - is it recommended to downgrade to 0.9.8.e and attempt to
>> patch/install that version - or 0.9.9 ?
>>
>> I am guessing that the "Compilation failed in require..." shown below
>> is a result of my current OpenSSL setup - or is it because of something
>> else?
> EAP_43.pm has "use Digest::HMAC_SHA1;"
>
> Check first that you have this installed. If Digest::SHA1 does not come
> with that, you may want to install that too while installing packages.
>
> If the dependencies are correct, then we have to dig openssl change
> logs, but before that, check the above.
>
> Thanks!
>
More information about the radiator
mailing list