Hi Remy and everyone, In message <[EMAIL PROTECTED]>, Remy de Ruysscher <[EMAIL PROTECTED]> writes >I just upgrade FR 1.1.4 to 1.1.6 on FreeBSD 6.1. And FR has always >worked wonderfully for me in the past.
I'm the maintainer of the FreeBSD port. My 6.2-RELEASE-p2 i386 system uses EAP-TLS - and it works fine, so it is probably something with your setup. I'm assuming you're using the port - though you didn't say so specifically. I use the OpenSSL port - and suggest you do too, as the version of OpenSSL in the base system is rather old. If you've got the OpenSSL port installed, the FreeRADIUS port will notice and make use of it automatically. The package, meanwhile, uses the base OpenSSL. If you install the OpenSSL port, you'll need to rebuild the FreeRADIUS port for FreeRADIUS to use it. If you have portupgrade installed, and want to switch to using the OpenSSL port, try: portupgrade -N security/openssl portupgrade -f net/freeradius /usr/local/etc/rc.d/radius start I suggest you also rebuild any other ports that use OpenSSL if you've installed the OpenSSL port for the first time. Use portupgrade -f or similar. Of course, it could be that your server certificate is actually bad. Do the results of: openssl verify -CAfile demoCA/cacert.pem -verbose cert-srv.pem and openssl x509 -in cert-srv.pem -noout -text look OK? You may need to adjust the filenames according to your environment - I'm presuming that you're in your raddb certificates folder. If you have the OpenSSL port installed, I suggest you explicitly use /usr/local/bin/openssl instead of openssl in the commands above. The handling of raddb upgrading has changed significantly from version 1.1.4 of the port to 1.1.6. It's just possible that your certificates have got stomped on if they are in /usr/local/etc/raddb/certs (adjusted accordingly if you have a non-standard ${PREFIX}), but I can't think why, as the script is fairly careful in checking before overwriting anything in raddb. That said, the new behaviour on uninstallation is to check any files in raddb against the distribution, and delete unmodified files. On installation, it copies the distribution files to raddb unless there's already a file of the same name. It's possible that your upgrade to 1.1.6 has created mixed versions (new uncustomised files and your customisations based on a rather older version of FreeRADIUS) - and that's introduced a problem, though I feel this is unlikely. My favourite is either there's something wrong with your server certificate, or it's a problem with the base system OpenSSL that you can cure by moving to the OpenSSL port. I'd be interested to know how you get on, particularly if the problem turns out to be something different. If you want a tarball of the 1.1.4 port, email me - I can pull out the last version of 1.1.4 from my local Subversion repository before I upgraded the port to 1.1.5. There were a lot of fixes in the 1.1.4 timeframe - there was a 1.1.4 port on 15 January 2007, 1.1.4_1 on 18 January 2007, and a rewrap of 1.1.4_1 on 23 January 2007. The 15 January -> 18 January transition merely disabled rlm_sql_firebird (otherwise the port failed to build with experimental modules disabled). The 18 January -> 23 January 2007 update contained a bunch of fixes, including the first version of the revised raddb handling (the very first time that the port touched files other than those suffixed .sample in raddb). http://www.freshports.org/net/freeradius/ will walk you through the changes in more detail, though my local Subversion repository is more finely grained. There were two further changes before I upgraded to 1.1.5 - support for the freeradius-mysql slave port, and a change to the current version of raddb handling. However, I hope we can get the 1.1.6 port working on your machine, and I don't have to unravel the many changes made from the last version of 1.1.4_1 through 1.1.5 to 1.1.6. Best wishes, David -- David Wood [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html