Hello,
After using portupgrade to go from freeradius-2.1.12 to freeradius-2.1.12_1 on FreeBSD 8.2-RELEASE, EAP-TLS authentication no longer works. Username/password authentications with the PAM module work fine on the freeradius-2.1.12_1 port.
All EAP-TLS authentications fail with radiusd reporting a "self signed cert" error (radiusd -X output):
My FreeRADIUS configuration files and certificates have not changed and I used the default configure options when building the port. I only upgraded that the freeradius port - no other ports were changed at that time. I did portupgrade OpenSSL about three weeks ago.
pkg_info -rR freeradius* output:
The really odd thing is that I used portdowngrade to revert to freeradius-2.1.12, and EAP-TLS authentications are still failing with the same error. That kind of points to an OpenSSL problem.
However, I deinstalled the freeradius port and built freeradius from the freeradius.org 2.1.12 source, and EAP-TLS authentications work fine using the same freeradius configuration files and certificates.
Has anyone else seen this or have any ideas about why it's behaving this way?
Thanks and regards.
After using portupgrade to go from freeradius-2.1.12 to freeradius-2.1.12_1 on FreeBSD 8.2-RELEASE, EAP-TLS authentication no longer works. Username/password authentications with the PAM module work fine on the freeradius-2.1.12_1 port.
All EAP-TLS authentications fail with radiusd reporting a "self signed cert" error (radiusd -X output):
Code:
…
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 2e89], Certificate
--> verify error:num=19:self signed certificate in certificate chain
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (self signed certificate in certificate chain): [N787laptop] (from client nms231s1-eapol-test port 0 cli 02-00-00-00-00-01@)
…
My FreeRADIUS configuration files and certificates have not changed and I used the default configure options when building the port. I only upgraded that the freeradius port - no other ports were changed at that time. I did portupgrade OpenSSL about three weeks ago.
pkg_info -rR freeradius* output:
Code:
Information for freeradius-2.1.12_1:
Depends on:
Dependency: openssl-1.0.0_9
Dependency: python27-2.7.2_3
Dependency: perl-5.12.4_3
Dependency: libltdl-2.4.2
Dependency: gdbm-1.9.1
The really odd thing is that I used portdowngrade to revert to freeradius-2.1.12, and EAP-TLS authentications are still failing with the same error. That kind of points to an OpenSSL problem.
However, I deinstalled the freeradius port and built freeradius from the freeradius.org 2.1.12 source, and EAP-TLS authentications work fine using the same freeradius configuration files and certificates.
Has anyone else seen this or have any ideas about why it's behaving this way?
Thanks and regards.