On Wednesday 31 December 2014, Kapetanakis Giannis wrote:
> Hi,
>
> After upgrading to latest snapshot I have problems with freeradius 2.2.5
> package not starting.
>
> Especially the problem occurs in loading of module eap-tls
>
> rlm_eap_tls: Couldn't set ephemeral RSA key
> rlm_eap: Failed to initialize type tls
> /etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
>
> I've tried installing version 2.2.6 but I have the same problem.
>
> The program fails at:
> src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
>
> /*
> * Generate ephemeral RSA keys.
> */
> static int generate_eph_rsa_key(SSL_CTX *ctx)
> {
> RSA *rsa;
>
> rsa = RSA_generate_key(512, RSA_F4, NULL, NULL);
>
> if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
> radlog(L_ERR, "rlm_eap_tls: Couldn't set ephemeral RSA key");
> return -1;
> }
>
> RSA_free(rsa);
> return 0;
> }
>
> is this related to freeradius or something with OpenBSD ssl libraries?
Support for ephemeral RSA keys was removed from LibreSSL, since it should only
be needed for export ciphers (no longer supported) or otherwise violating
RFCs (as at first glance FreeRADIUS appears to do above).
Since you're already looking at the code, does it set SSL_OP_EPHEMERAL_RSA
anywhere? If not, the above function is probably a noop. At the very least it
is likely buggy since they are supposed to call SSL_CTX_need_tmp_RSA() to see
if the temporary RSA key should be set, before calling SSL_CTX_set_tmp_rsa().
> regards,
>
> Giannis
--
"Action without study is fatal. Study without action is futile."
-- Mary Ritter Beard
