Bug#1032590: Intermediate certficate support
Hello Bernhard Sorry, I was not clear enough. On 3/13/23 22:14, Bernhard Schmidt wrote: > - The LDAP TLS error was caused by a local change (libldap built against > OpenSSL instead of GnuTLS) Yes, that was the case. > - Intermediate CA support works for you in 3.2.2-1~exp1 That's true. > - but not in 3.2.1-3 where I have backported the commit? I tested this now and intermediate CA support works also with Freeradius version 3.2.1-3. Thank you again! Regards Sakirnth
Bug#1032590: Intermediate certficate support
Am 13.03.23 um 16:29 schrieb Sakirnth Nagarasa: Hi, On 3/13/23 15:02, Bernhard Schmidt wrote: Humm .. but there IS a change fixing intermediate CA support in 3.2.2... Yes the intermediate CA support works now on version 3.2.2. I tested that in my setup. So, if I understand you correctly: - The LDAP TLS error was caused by a local change (libldap built against OpenSSL instead of GnuTLS) - Intermediate CA support works for you in 3.2.2-1~exp1 - but not in 3.2.1-3 where I have backported the commit? Sorry to be asking again, but I need to know quite soon whether to file an unblock request for -3, revert the backported fix because it does not do any good, or ask for a pre-approval for 3.2.2. Thanks, Bernhard
Bug#1032590: Intermediate certficate support
On 3/13/23 15:02, Bernhard Schmidt wrote: > Humm .. but there IS a change fixing intermediate CA support in 3.2.2... Yes the intermediate CA support works now on version 3.2.2. I tested that in my setup. Regards Sakirnth
Bug#1032590: Intermediate certficate support
Am 13.03.23 um 14:48 schrieb Sakirnth Nagarasa: Hi, On 3/11/23 22:01, Bernhard Schmidt wrote: Just to make sure, could you quickly verify which of these versions are broken as well in your setup? - 3.2.1-1 from testing - 3.2.1-2 from http://snapshot.debian.org/package/freeradius/3.2.1%2Bdfsg-2/ - 3.2.2-1~exp1 from experimental (just uploaded, might take a few hours to appear in the archive) It doesen't work for all listed versions in my setup. But in my company the libldap package is built against OpenSSL instead of GnuTLS. And on Saturday I installed the Debian version of freeradius-ldap built against libldap linked to GnuTLS. Therefore it didn't work. After I built freeradius-ldap version 3.2.2-1~exp1 against libldap linked to the OpenSSL it worked. So on Saturday I didn't test the same setup, like before. Therefore everything works, it was my mistake. Thank you very much for uploading the new version. Humm .. but there IS a change fixing intermediate CA support in 3.2.2... @Daniel: Do you have a chance to test this, since you reported it in #1032572? Bernhard
Bug#1032590: Intermediate certficate support
Hi Bernhard On 3/11/23 22:01, Bernhard Schmidt wrote: > Just to make sure, could you quickly verify which of these versions are > broken as well in your setup? > > - 3.2.1-1 from testing > - 3.2.1-2 from > http://snapshot.debian.org/package/freeradius/3.2.1%2Bdfsg-2/ > - 3.2.2-1~exp1 from experimental (just uploaded, might take a few hours > to appear in the archive) It doesen't work for all listed versions in my setup. But in my company the libldap package is built against OpenSSL instead of GnuTLS. And on Saturday I installed the Debian version of freeradius-ldap built against libldap linked to GnuTLS. Therefore it didn't work. After I built freeradius-ldap version 3.2.2-1~exp1 against libldap linked to the OpenSSL it worked. So on Saturday I didn't test the same setup, like before. Therefore everything works, it was my mistake. Thank you very much for uploading the new version. Regards Sakirnth
Bug#1032590: Intermediate certficate support
Am 11.03.23 um 14:51 schrieb Sakirnth Nagarasa:
Hi,
On 3/10/23 08:55, Bernhard Schmidt wrote:
I will upload a 3.2.1-3 within the next hours to cherry-pick this, could
you please test the resulting binary and report back? I will then apply
for a freeze exception.
Thank you for uploading the new version. I quickly tested the new binary
in our setup, Freeradius can not bind to ldap server anymore with
version 3.2.1-3.
Meh :-(
TLS: can't connect: (unknown error code).
Sat Mar 11 14:28:38 2023 : Error: rlm_ldap (ldap): Bind with (anonymous)
to ldaps://${LDAP_SERVER}:636 failed: Can't contact LDAP server
Sat Mar 11 14:28:38 2023 : Debug: rlm_ldap: Closing libldap handle
TLS issue, sounds related to my cherry-picked patch.
Unfortunately there are a lot of patches between 3.2.1 and 3.2.2, and
the commit message aren't always as descriptive as they could be.
https://github.com/FreeRADIUS/freeradius-server/compare/release_3_2_1...release_3_2_2
https://github.com/FreeRADIUS/freeradius-server/commit/d23987cbf55821dc56ab70d5ce6af3305cf83289
https://github.com/FreeRADIUS/freeradius-server/commit/3d08027f30c6d9c1eaccf7d60c68c8f7d78017c3
are likely candidates.
Just to make sure, could you quickly verify which of these versions are
broken as well in your setup?
- 3.2.1-1 from testing
- 3.2.1-2 from http://snapshot.debian.org/package/freeradius/3.2.1%2Bdfsg-2/
- 3.2.2-1~exp1 from experimental (just uploaded, might take a few hours
to appear in the archive)
Bernhard
Bug#1032590: Intermediate certficate support
Hi Bernard
On 3/10/23 08:55, Bernhard Schmidt wrote:
> I will upload a 3.2.1-3 within the next hours to cherry-pick this, could
> you please test the resulting binary and report back? I will then apply
> for a freeze exception.
Thank you for uploading the new version. I quickly tested the new binary
in our setup, Freeradius can not bind to ldap server anymore with
version 3.2.1-3.
If you want I can further investigate on Monday. But for now the only
thing I can send to you is this output:
Sat Mar 11 14:28:38 2023 : Debug: LDAP server string:
ldaps://${LDAP_SERVER}:636
Sat Mar 11 14:28:38 2023 : Debug: rlm_ldap (ldap): Using local pool section
Sat Mar 11 14:28:38 2023 : Debug: rlm_ldap (ldap): No pool reference
found for config item "ldap.pool"
Sat Mar 11 14:28:38 2023 : Debug: rlm_ldap (ldap): Initialising
connection pool
Sat Mar 11 14:28:38 2023 : Debug:pool {
Sat Mar 11 14:28:38 2023 : Debug: start = 5
Sat Mar 11 14:28:38 2023 : Debug: min = 3
Sat Mar 11 14:28:38 2023 : Debug: max = 32
Sat Mar 11 14:28:38 2023 : Debug: spare = 10
Sat Mar 11 14:28:38 2023 : Debug: uses = 0
Sat Mar 11 14:28:38 2023 : Debug: lifetime = 0
Sat Mar 11 14:28:38 2023 : Debug: cleanup_interval = 30
Sat Mar 11 14:28:38 2023 : Debug: idle_timeout = 60
Sat Mar 11 14:28:38 2023 : Debug: retry_delay = 30
Sat Mar 11 14:28:38 2023 : Debug: spread = no
Sat Mar 11 14:28:38 2023 : Debug:}
Sat Mar 11 14:28:38 2023 : Info: rlm_ldap (ldap): Opening additional
connection (0), 1 of 32 pending slots used
Sat Mar 11 14:28:38 2023 : Debug: rlm_ldap (ldap): Connecting to
ldaps://${LDAP_SERVER}:636
Sat Mar 11 14:28:38 2023 : Debug: rlm_ldap (ldap): New libldap handle
0x5653f2b3ba40
TLS: can't connect: (unknown error code).
Sat Mar 11 14:28:38 2023 : Error: rlm_ldap (ldap): Bind with (anonymous)
to ldaps://${LDAP_SERVER}:636 failed: Can't contact LDAP server
Sat Mar 11 14:28:38 2023 : Debug: rlm_ldap: Closing libldap handle
0x5653f2b3ba40
Sat Mar 11 14:28:38 2023 : Error: rlm_ldap (ldap): Opening connection
failed (0)
Sat Mar 11 14:28:38 2023 : Debug: rlm_ldap (ldap): Removing connection pool
Sat Mar 11 14:28:38 2023 : Error:
/etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for
module "ldap"
Thank you and cheers
Sakirnth
Bug#1032590: Intermediate certficate support
Control: forwarded -1 https://github.com/FreeRADIUS/freeradius-server/issues/4753 Control: priority -1 important Control: found -1 3.0.25+dfsg-1 On 09/03/23 05:29 PM, Sakirnth Nagarasa wrote: Hi, > It would be great if you could upgrade freeradius version 3.2.2 to > Debian. With that certficates chains can be used without failing. > > It patches this bug: > https://github.com/FreeRADIUS/freeradius-server/issues/4753 Thanks for the report. Unfortunately we are in Freeze already, so just uploading 3.2.2 is not easily possible. https://release.debian.org/testing/freeze_policy.html However, I can backport patches. According to the GH issue you provided the bug was introduced in 3.0.22 and fixed with https://github.com/FreeRADIUS/freeradius-server/commit/aa5b642a3d6fed8663e5242d91884d25d14e9f53 I will upload a 3.2.1-3 within the next hours to cherry-pick this, could you please test the resulting binary and report back? I will then apply for a freeze exception. Bernhard signature.asc Description: PGP signature
Bug#1032590: Intermediate certficate support
Package: freeradius Hi, It would be great if you could upgrade freeradius version 3.2.2 to Debian. With that certficates chains can be used without failing. It patches this bug: https://github.com/FreeRADIUS/freeradius-server/issues/4753 https://github.com/FreeRADIUS/freeradius-server/releases/tag/release_3_2_2 Thanks and cheers, Saki
