Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
Hi Artur Artur Hecker wrote: hi Yes, the EAP document with the FreeRADIUS 0.7 tar ball indicates that OpenSSL 0.9.6b or later (for example, 0.9.6c - 0.9.6g) should work. Others were having problems with that release, so I tried it, verified that it didn't work, tried to find out why it doesn't work (rlm needs more recent function calls), and found a version that definitely does work. I'm not saying I figured something out that nobody else new, heck, I already new it and was using 0.9.7 snapshots on other machines. ok, i wasn't trying to say that what you did was useless or something. i wanted to clarify things. for my own case, i always just took the newest openssl and it always worked (it was always the most recent 0.9.7) - since march or so... it's good to know exactly, so thanks for the clarification. Sure thing. I didn't mean to sound defensive. In any event, the configure routines should indicate which version is needed, and if it is not found, that should be reported as well. Otherwise, wrt to this module anyway, what's the point? the point is not what they should do. i asked if they did because i tend to think that they don't. You're correct. They don't. :-( What I didn't figure out, is why, even if configure succeeds, make did not fail when it tried to compile code referencing functions that did not exists in any of the include files? did you try it out personally? i somehow understood that Alan and you were talking about somebody else's tries. in that case, as i tried to explain, he could have been using a module which was not compiled with the server but before, in some earlier compilation. Sorry I wasn't more clear. We were talking about somebody else, but I did try it out to verify it while I was building a new machine to run FreeRADIUS. I used FreeRADIUS 0.7.1 and OpenSSL 0.9.6b and I didn't notice any complaints and the module did build. in my case, configure NEVER succeds simply because you need a -lcrypto after the -lssl in the makefile (took some time to find this one out)... i.e. the rlm_eap_tls is never compiled if i only do "./configure"... i should try the 0.8 release, perhaps monday, i'm not in the office right now. I think that I recall having to add the -lcrypto in the past after I ran ./configure, but it appeared to be there in the 0.7.1 release already. (I'm not able to access that machine right now to verify.) I'm not much of an expert when it comes to OpenSSL, but I do understand that some people would be hesitant to run a beta or earlier release of something so integral to their security. While I don't really mind running to versions - one for most things and one for the rlm_eap_tls module - it would be nice to have only one version for everything to use. I was just trying to figure out what version that may be and what the drawbacks to running that particular version of OpenSSL may be. Sorry for any confusion. Aron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
hi > Yes, the EAP document with the FreeRADIUS 0.7 tar ball indicates that > OpenSSL 0.9.6b or later (for example, 0.9.6c - 0.9.6g) should work. > Others were having problems with that release, so I tried it, verified > that it didn't work, tried to find out why it doesn't work (rlm needs > more recent function calls), and found a version that definitely does > work. I'm not saying I figured something out that nobody else new, > heck, I already new it and was using 0.9.7 snapshots on other machines. ok, i wasn't trying to say that what you did was useless or something. i wanted to clarify things. for my own case, i always just took the newest openssl and it always worked (it was always the most recent 0.9.7) - since march or so... it's good to know exactly, so thanks for the clarification. > In any event, the configure routines should indicate which version is > needed, and if it is not found, that should be reported as well. > Otherwise, wrt to this module anyway, what's the point? the point is not what they should do. i asked if they did because i tend to think that they don't. > What I didn't figure out, is why, even if configure succeeds, make did > not fail when it tried to compile code referencing functions that did > not exists in any of the include files? did you try it out personally? i somehow understood that Alan and you were talking about somebody else's tries. in that case, as i tried to explain, he could have been using a module which was not compiled with the server but before, in some earlier compilation. in my case, configure NEVER succeds simply because you need a -lcrypto after the -lssl in the makefile (took some time to find this one out)... i.e. the rlm_eap_tls is never compiled if i only do "./configure"... i should try the 0.8 release, perhaps monday, i'm not in the office right now. ciao artur -- artur not at work - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
Artur Hecker wrote: hi Exactly. Which is strange that it did compile with 0.9.6b. I didn't capture all of the output, so I'm not sure what, if anything, it said about the function calls. For the record, the stable snapshot of OpenSSL 0.9.7 from 2002-10-30 works fine. Maybe Raghu can update the EAP document? Aron for as far as i know, raghu is not currently reading the list... (not sure about it). i actually didn't get your point: for the eap/tls module you need the openssl0.9.7 which is still beta, right? you said that there are some functions not available in the 0.9.6x version, no? so why would you ask if there is any reason for using the beta version? did i miss something? Yes, the EAP document with the FreeRADIUS 0.7 tar ball indicates that OpenSSL 0.9.6b or later (for example, 0.9.6c - 0.9.6g) should work. Others were having problems with that release, so I tried it, verified that it didn't work, tried to find out why it doesn't work (rlm needs more recent function calls), and found a version that definitely does work. I'm not saying I figured something out that nobody else new, heck, I already new it and was using 0.9.7 snapshots on other machines. A how-to from UMD indicated that as far as 0.9.7 is concerned, a snapshot, as opposed to a stable snapshot, was needed. That doesn't seem to be the case any more as the stable snapshots are all much more recent than the snapshots available at the time that the how-to was written. and i think that the configure routines for the rlm_eap_tls only test the init functions of libssl and libcrypto, which work in both release and betas... it there any version testing in there? i don't know. and are you sure, the compilation worked at the same point of time as he built the rlm_eap_tls? he could have built it before and then could have recompiled with "usual" configure, that is without rlm_eap_tls and that's the "old" rlm which the nex server tried to load due to the old config. then, the linker can't resolve symbols, that's all... In any event, the configure routines should indicate which version is needed, and if it is not found, that should be reported as well. Otherwise, wrt to this module anyway, what's the point? What I didn't figure out, is why, even if configure succeeds, make did not fail when it tried to compile code referencing functions that did not exists in any of the include files? ciao artur -- Aron J. Silverton Senior Staff Research Engineer Motorola Laboratories, Networks and Infrastructure Research Motorola, Inc. Telephone: 847-576-8747 Fax: 847-576-3240 mailto: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
hi > Exactly. Which is strange that it did compile with 0.9.6b. I didn't > capture all of the output, so I'm not sure what, if anything, it said > about the function calls. > > For the record, the stable snapshot of OpenSSL 0.9.7 from 2002-10-30 > works fine. Maybe Raghu can update the EAP document? > > Aron for as far as i know, raghu is not currently reading the list... (not sure about it). i actually didn't get your point: for the eap/tls module you need the openssl0.9.7 which is still beta, right? you said that there are some functions not available in the 0.9.6x version, no? so why would you ask if there is any reason for using the beta version? did i miss something? and i think that the configure routines for the rlm_eap_tls only test the init functions of libssl and libcrypto, which work in both release and betas... it there any version testing in there? i don't know. and are you sure, the compilation worked at the same point of time as he built the rlm_eap_tls? he could have built it before and then could have recompiled with "usual" configure, that is without rlm_eap_tls and that's the "old" rlm which the nex server tried to load due to the old config. then, the linker can't resolve symbols, that's all... ciao artur -- _ Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 750746, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
Alan DeKok wrote: "Aron Silverton"<[EMAIL PROTECTED]> wrote: The necessary OpenSSL functions were not added until 0.9.7 as found in the SSL_CTX_set_msg_callback.pod. Does anybody know if there is any reason why a 0.9.7-beta, stable snapshot, or snapshot would be prefered over the others? No real reason. But I still think there's something wrong. If the function doesn't exist, then the module shouldn't even > compile. Exactly. Which is strange that it did compile with 0.9.6b. I didn't capture all of the output, so I'm not sure what, if anything, it said about the function calls. For the record, the stable snapshot of OpenSSL 0.9.7 from 2002-10-30 works fine. Maybe Raghu can update the EAP document? Aron - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
"Aron Silverton"<[EMAIL PROTECTED]> wrote: > The necessary OpenSSL functions were not added until 0.9.7 as found in > the SSL_CTX_set_msg_callback.pod. Does anybody know if there is any > reason why a 0.9.7-beta, stable snapshot, or snapshot would be prefered > over the others? No real reason. But I still think there's something wrong. If the function doesn't exist, then the module shouldn't even compile. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
Ok, I read the original post more closely and maybe he was having both problems: wrong OpenSSL at first and then linker problems after that. I know that I wasn't having the linker issues. The necessary OpenSSL functions were not added until 0.9.7 as found in the SSL_CTX_set_msg_callback.pod. Does anybody know if there is any reason why a 0.9.7-beta, stable snapshot, or snapshot would be prefered over the others? Thanks, Aron Aron Silverton wrote: Alan DeKok wrote: Jason Haar <[EMAIL PROTECTED]> wrote: I've compiled up 0.7 successfully under Redhat 7.2 with openssl-0.9.6b, but when I try to use xsuplicant on a WLAN Linux client, radiusd crashes: Uh, no. Your shared libraries are set up wrong. The server asks to do run-time linking, and *your* run-time linker fails to find that symbol. radiusd: relocation error: /usr/lib/rlm_eap_tls-0.7.so: undefined symbol: SSL_set_msg_callback_arg I then tried compiling 0.7 under openssl-0.9.7 and under openssl-engine-0.9.6g (using LD_PRELOAD/etc) with the same error. Figure out how to get shared libraries working on your system. It's not the fault of the server that your dynamic linker can't resolve a symbol. Alan, I'm not sure that this is the problem. I tried to build a Linux machine today using OpenSSL 0.9.6b as indicated in the EAP documentation bundled with FreeRADIUS. (My existing builds are on FreeBSD using a later snapshot of OpenSSL.) After getting complaints from rlm_eap_tls-0.7.1.so about SSL_set_msg_callback, I dug around in the code to find that these functions being called from tls.c were not added to OpenSSL until after 0.9.6b. See the FAQ and the comments around 'libdir' in radiusd.conf. The ONLY way to fix the problem is to fix your linker. There's NOTHING you can do to the server which will fix the problem. Unless there is nothing wrong with the linker as with my setup where "ldd rlm_eap_tls-0.7.1.so" and "ldd radiusd" show exactly what one would expect to see. I apologize if somebody has pointed this out already in the months that have passed since the original posts. Perhaps we can get the EAP document updated to indicate an appropriate version? This page, http://www.missl.cs.umd.edu/wireless/eaptls/#OPENSSL, which we are all familiar with, recommends 0.9.7, but I don't know if that is definitive. I'm hoping to look at later 0.9.6 releases to see if they include the calls later on today. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Aron J. Silverton Senior Staff Research Engineer Motorola Laboratories, Networks and Infrastructure Research Motorola, Inc. Telephone: 847-576-8747 Fax: 847-576-3240 mailto: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
Alan DeKok wrote: Jason Haar <[EMAIL PROTECTED]> wrote: I've compiled up 0.7 successfully under Redhat 7.2 with openssl-0.9.6b, but when I try to use xsuplicant on a WLAN Linux client, radiusd crashes: Uh, no. Your shared libraries are set up wrong. The server asks to do run-time linking, and *your* run-time linker fails to find that symbol. radiusd: relocation error: /usr/lib/rlm_eap_tls-0.7.so: undefined symbol: SSL_set_msg_callback_arg I then tried compiling 0.7 under openssl-0.9.7 and under openssl-engine-0.9.6g (using LD_PRELOAD/etc) with the same error. Figure out how to get shared libraries working on your system. It's not the fault of the server that your dynamic linker can't resolve a symbol. Alan, I'm not sure that this is the problem. I tried to build a Linux machine today using OpenSSL 0.9.6b as indicated in the EAP documentation bundled with FreeRADIUS. (My existing builds are on FreeBSD using a later snapshot of OpenSSL.) After getting complaints from rlm_eap_tls-0.7.1.so about SSL_set_msg_callback, I dug around in the code to find that these functions being called from tls.c were not added to OpenSSL until after 0.9.6b. See the FAQ and the comments around 'libdir' in radiusd.conf. The ONLY way to fix the problem is to fix your linker. There's NOTHING you can do to the server which will fix the problem. Unless there is nothing wrong with the linker as with my setup where "ldd rlm_eap_tls-0.7.1.so" and "ldd radiusd" show exactly what one would expect to see. I apologize if somebody has pointed this out already in the months that have passed since the original posts. Perhaps we can get the EAP document updated to indicate an appropriate version? This page, http://www.missl.cs.umd.edu/wireless/eaptls/#OPENSSL, which we are all familiar with, recommends 0.9.7, but I don't know if that is definitive. I'm hoping to look at later 0.9.6 releases to see if they include the calls later on today. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Aron J. Silverton Senior Staff Research Engineer Motorola Laboratories, Networks and Infrastructure Research Motorola, Inc. Telephone: 847-576-8747 Fax: 847-576-3240 mailto: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
> there is a patch which should be already integrated in the release which > supports that. if it doesn't grep the maillist archives for it, it was oups: if it ISN'T of course... -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
> "Please note that WEP is not yet supported in freeradius" > > Is that still the case? The whole reason we're looking at EAP-TLS is to work > around the gross security problems with WLANs - and EAP-TLS provides that > protection by dynamically generating WEP session keys... there is a patch which should be already integrated in the release which supports that. if it doesn't grep the maillist archives for it, it was submitted by Lars Viklund and Henrik Eriksson. if you don't find it, ask them, the addresses should be there. ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
On Tue, Aug 13, 2002 at 09:35:22AM -0400, Alan DeKok wrote: > Jason Haar <[EMAIL PROTECTED]> wrote: > > I've compiled up 0.7 successfully under Redhat 7.2 with openssl-0.9.6b, but > > when I try to use xsuplicant on a WLAN Linux client, radiusd crashes: > > Uh, no. Your shared libraries are set up wrong. The server asks to > do run-time linking, and *your* run-time linker fails to find that symbol. So you mean Redhat have it wrong again? There's a surprise :-) > Figure out how to get shared libraries working on your > system. It's not the fault of the server that your dynamic linker > can't resolve a symbol. > Seriously? So no-one running Redhat can make this work (I've tried it under RH 7.1 and 7.2)? I've already had someone else e-mail me saying they have the same problem, so it looks pretty generic. The other rlm modules work fine - it's just the eap ones that have this problem (i.e. it's an openssl issue). BTW: I did all the LD_PRELOAD and libdir stuff to no avail. Anyway, now that I've read the docs, I'm wondering if EAP-TLS support is actually finished yet. doc/eap says: "Please note that WEP is not yet supported in freeradius" Is that still the case? The whole reason we're looking at EAP-TLS is to work around the gross security problems with WLANs - and EAP-TLS provides that protection by dynamically generating WEP session keys... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cannot get EAP-TLS to work with FreeRADIUS 0.7
Jason Haar <[EMAIL PROTECTED]> wrote: > I've compiled up 0.7 successfully under Redhat 7.2 with openssl-0.9.6b, but > when I try to use xsuplicant on a WLAN Linux client, radiusd crashes: Uh, no. Your shared libraries are set up wrong. The server asks to do run-time linking, and *your* run-time linker fails to find that symbol. > radiusd: relocation error: /usr/lib/rlm_eap_tls-0.7.so: undefined symbol: > SSL_set_msg_callback_arg > > I then tried compiling 0.7 under openssl-0.9.7 and under > openssl-engine-0.9.6g (using LD_PRELOAD/etc) with the same error. Figure out how to get shared libraries working on your system. It's not the fault of the server that your dynamic linker can't resolve a symbol. See the FAQ and the comments around 'libdir' in radiusd.conf. The ONLY way to fix the problem is to fix your linker. There's NOTHING you can do to the server which will fix the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cannot get EAP-TLS to work with FreeRADIUS 0.7
Hi there I've compiled up 0.7 successfully under Redhat 7.2 with openssl-0.9.6b, but when I try to use xsuplicant on a WLAN Linux client, radiusd crashes: modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: processing type tls radiusd: relocation error: /usr/lib/rlm_eap_tls-0.7.so: undefined symbol: SSL_set_msg_callback_arg I then tried compiling 0.7 under openssl-0.9.7 and under openssl-engine-0.9.6g (using LD_PRELOAD/etc) with the same error. I then tried compiling 0.7 as: --with-static-modules="eap" ...but that just seems to merge rlm_eap.so into the binary - not the subsidaries like rlm_eap_tls.so - where the problem is. I've also tried all the above with the freeradius out of CVS - same problem. Can anyone tell me what I'm missing? This looks pretty close to working, so I don't want to give up :-) Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html