>
> Martin Ubank wrote:
> > The following lines from the output of the 'eapol_test' command seem
> to indicate a problem with the root certificate.:
> >
> > OpenSSL: tls_connection_ca_cert - Failed to load root certificates
> error:00000000:lib(0):func(0):reason(0)
>
> Fix that and it should work.
I've not been able to fix it yet.
The Openssl-Users list hasn't been able to suggest anything.
I am running 'eapol_test -c test.conf -s testing123' from the CentOS VM on
which FreeRadius is installed.
test.conf contains:
#
# eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123
#
# eapol_version=1
# fast_reauth=0
network={
key_mgmt=WPA-EAP
eap=PEAP
identity="USERNAME"
# anonymous_identity="anonymous"
password="PASSWORD"
phase2="autheap=MSCHAPV2"
# priority=10
#
# Uncomment the following to perform server certificate validation.
ca_cert="/etc/raddb/certs/ca.der"
}
/etc/raddb/certs/ca.der was created by running 'make' which, I believe,
executes the 'bootstrap' script.
The 'bootstrap' script contains:
#!/bin/sh
#
# This is a wrapper script to create default certificates when the
# server first starts in debugging mode. Once the certificates have been
# created, this file should be deleted.
#
# Ideally, this program should be run as part of the installation of any
# binary package. The installation should also ensure that the permissions
# and owners are correct for the files generated by this script.
#
# $Id$
#
umask 027
cd `dirname $0`
make -h > /dev/null 2>&1
#
# If we have a working "make", then use it. Otherwise, run the commands
# manually.
#
if [ "$?" = "0" ]; then
make all
exit $?
fi
#
# The following commands were created by running "make -n", and edited
# to remove the trailing backslash, and to add "exit 1" after the commands.
#
# Don't edit the following text. Instead, edit the Makefile, and
# re-generate these commands.
#
if [ ! -f dh ]; then
openssl dhparam -out dh 1024 || exit 1
if [ -e /dev/urandom ] ; then
dd if=/dev/urandom of=./random count=10 >/dev/null 2>&1;
else
date > ./random;
fi
fi
if [ ! -f server.key ]; then
openssl req -new -out server.csr -keyout server.key -config ./server.cnf ||
exit 1
fi
if [ ! -f ca.key ]; then
openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days
ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf
|| exit 1
fi
if [ ! -f index.txt ]; then
touch index.txt
fi
if [ ! -f serial ]; then
echo '01' > serial
fi
if [ ! -f server.crt ]; then
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep
output_password ca.cnf | sed 's/.*=//;s/^ *//'` -
out server.crt -extensions xpserver_ext -extfile xpextensions -config
./server.cnf || exit 1
fi
if [ ! -f server.p12 ]; then
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
-passin pass:`grep output_password server.cnf | se
d 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed
's/.*=//;s/^ *//'` || exit 1
fi
if [ ! -f server.pem ]; then
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep
output_password server.cnf | sed 's/.*=//;s/^ *//'` -passo
ut pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
fi
if [ ! -f ca.der ]; then
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
fi
if [ ! -f client.key ]; then
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
fi
if [ ! -f client.crt ]; then
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep
output_password ca.cnf | sed 's/.*=//;s/^ *//'` -
out client.crt -extensions xpclient_ext -extfile xpextensions -config
./client.cnf
fi
>From this script, I understand that:
ca.der is created by 'openssl x509 -inform PEM -outform DER -in ca.pem -out
ca.der';
ca.key & ca.pem are created by
'openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days
ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf'.
So, how does FreeRadius expect to load the root certificate from ca.der?
If it can't, then what file should be in the ca_cert directive in my test.conf
file?
Or, is 'eapol_test' not the correct way to test "Configuring FreeRADIUS to use
ntlm_auth for MS-CHAP"?
In which case, how should I test it?
Thanks for any help anyone can give.
Let me know if any more information would be useful.
Martin.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
