freeradius-2.1.12_1 breaks EAP-TLS auth?

Hello,

After using portupgrade to go from freeradius-2.1.12 to freeradius-2.1.12_1 on FreeBSD 8.2-RELEASE, EAP-TLS authentication no longer works. Username/password authentications with the PAM module work fine on the freeradius-2.1.12_1 port.

All EAP-TLS authentications fail with radiusd reporting a "self signed cert" error (radiusd -X output):

Code:
…
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 2e89], Certificate
--> verify error:num=19:self signed certificate in certificate chain
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
    TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (self signed certificate in certificate chain): [N787laptop] (from client nms231s1-eapol-test port 0 cli 02-00-00-00-00-01@)
…

My FreeRADIUS configuration files and certificates have not changed and I used the default configure options when building the port. I only upgraded that the freeradius port - no other ports were changed at that time. I did portupgrade OpenSSL about three weeks ago.

pkg_info -rR freeradius* output:

Code:
Information for freeradius-2.1.12_1:

Depends on:
Dependency: openssl-1.0.0_9
Dependency: python27-2.7.2_3
Dependency: perl-5.12.4_3
Dependency: libltdl-2.4.2
Dependency: gdbm-1.9.1

The really odd thing is that I used portdowngrade to revert to freeradius-2.1.12, and EAP-TLS authentications are still failing with the same error. That kind of points to an OpenSSL problem.

However, I deinstalled the freeradius port and built freeradius from the freeradius.org 2.1.12 source, and EAP-TLS authentications work fine using the same freeradius configuration files and certificates.

Has anyone else seen this or have any ideas about why it's behaving this way?

Thanks and regards.
 
OK, this appears to be an OpenSSL problem, not a FreeRadius problem.

I deinstalled openssl-1.0.0_9, deinstalled freeradius-2.1.12_1, installed freeradius-2.1.12_1 using make -DWITH_OPENSSL_BASE install clean, then reinstalled openssl-1.0.0_9 and EAP-TLS authentication now works fine.

So, freeradius-2.1.12_1 + base OpenSSL (0.9.8q) is OK, but
freeradius-2.1.12_1 + latest OpenSSL port (1.0.0g) breaks EAP-TLS.
 
It turns out the that the subject hashing algorithm changed from OpenSSL 0.9.8 to 1.0.0, so freeradius built against the latest OpenSSL port couldn't read the CA cert hashes created by c_rehash using OpenSSL 0.9.8. See http://www.openssl.org/docs/apps/x509.html:

The hash algorithm used in the -subject_hash and -issuer_hash options before OpenSSL 1.0.0 was based on the deprecated MD5 algorithm and the encoding of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical version of the DN using SHA1. This means that any directories using the old form must have their links rebuilt using c_rehash or similar.

I deinstalled/installed freeradius-2.1.12_1 with the latest OpenSSL port, ran c_rehash on my CA directory to generate new symlinks, and EAP-TLS authentications now work.
 
Back
Top