On 31/12/14 04:37, Joel Sing wrote:
On Wednesday 31 December 2014, Kapetanakis Giannis wrote:
Hi,
After upgrading to latest snapshot I have problems with freeradius 2.2.5
package not starting.
Especially the problem occurs in loading of module eap-tls
rlm_eap_tls: Couldn't set ephemeral RSA key
rlm_eap: Failed to initialize type tls
/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
I've tried installing version 2.2.6 but I have the same problem.
The program fails at:
src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
/*
* Generate ephemeral RSA keys.
*/
static int generate_eph_rsa_key(SSL_CTX *ctx)
{
RSA *rsa;
rsa = RSA_generate_key(512, RSA_F4, NULL, NULL);
if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
radlog(L_ERR, "rlm_eap_tls: Couldn't set ephemeral RSA key");
return -1;
}
RSA_free(rsa);
return 0;
}
is this related to freeradius or something with OpenBSD ssl libraries?
Support for ephemeral RSA keys was removed from LibreSSL, since it should only
be needed for export ciphers (no longer supported) or otherwise violating
RFCs (as at first glance FreeRADIUS appears to do above).
Since you're already looking at the code, does it set SSL_OP_EPHEMERAL_RSA
anywhere? If not, the above function is probably a noop. At the very least it
is likely buggy since they are supposed to call SSL_CTX_need_tmp_RSA() to see
if the temporary RSA key should be set, before calling SSL_CTX_set_tmp_rsa().
Well I've already made it working last night by adding a check
for SSL_CTX_need_tmp_RSA before calling SSL_CTX_set_tmp_rsa
So if I get it right, since I'm using HIGH ciphersuite I will never need
an ephemeral RSA key correct?
Is there a case were that SSL_CTX_need_tmp_RSA() will be true?
SSL_OP_EPHEMERAL_RSA is not defined anywhere.
G
