[RADIATOR] does OpenSSL 0.9.8n need patched for use with EAP-FAST?

Heikki Vatiainen hvn at open.com.au
Thu Mar 31 04:48:39 CDT 2011 

On 03/30/2011 05:49 PM, Jim Veneskey wrote:

>> Wed Mar 30 10:34:50 2011: DEBUG: EAP result: 1, EAP-FAST Requires
>> Net::SSLeay::set_session_secret_cb. Upgrade or patch your OpenSSL
>> and/or Net-SSLeay
>> Wed Mar 30 10:34:50 2011: DEBUG: AuthBy FILE result: REJECT, EAP-FAST
>> Requires Net::SSLeay::set_session_secret_cb. Upgrade or patch your
>> OpenSSL and/or Net-SSLeay
>> Wed Mar 30 10:34:50 2011: INFO: Access rejected for anonymous:
>> EAP-FAST Requires Net::SSLeay::set_session_secret_cb. Upgrade or patch
>> your OpenSSL and/or Net-SSLeay
>> Wed Mar 30 10:34:50 2011: DEBUG: Packet dump:
> 
> Which implies that the version of openssl I was using - 0.9.8n was not
> good enough.
> 
> Just for fun - I upgraded openssl to the latest release:
> 
>> openssl version
>> OpenSSL 1.0.0d 8 Feb 2011
> And that also resulted in the messages shown above.

1.0.0d has support for the required functions. Here's what I have on
openSUSE 11.3

% rpm -qa|grep -i sslea
perl-Crypt-SSLeay-0.57-47.1.i586
perl-Net-SSLeay-1.36-3.1.i586

OpenSSL is 1.0.0 from March 29 2010

With the above I do not get complaints from missing functions.

If you compiled openssl "./config shared" before the compile, the
compilation creates shared libraries. You can point to those libs with
something like
export LD_LIBRARY_PATH=/home/hvn/src/openssl-1.0.0d

When you start Radiator it should pick up the 1.0.0d ssl library. With
something like above you can try to make sure Radiator is indeed using
1.0.0d unless you have purged the old version while installing 1.0.0d.

> So - since I already had Net_SSLeay.pm-1.30  installed,  my next step
> looks to be downgrading OpenSSL to a supported version.

Try upgrading Net-SSLeay.pm to 1.36. Version 1.30 is quite old and 1.36
does have the functions that are required.

If Net_SSLeay 1.36 and openssl 1.0.0d do not work, I would downgrade to
0.9.8 with patches only then.


> My question is - is there a preferred version out of the following four
> that I should downgrade to?
> 
>>   openssl-0.9.8d-session-ticket-osc.patch
>>    openssl-0.9.8e-session-ticket-osc.patch
>>    openssl-0.9.8i-tls-extensions.patch
>>    openssl-0.9.9-session-ticket.patch

I'm not completely sure. I can check, but plese try the above first.

Thanks!

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list