EAP-TLS local issuer cert problem

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

EAP-TLS local issuer cert problem

Users mailing list
Hi, seems like I poorly expressed my problem in my previous message, sorry for that.
I seem to experience a bug in the OpenBSD pkg of Freeradius 3.0.21. Server denies access to client with good certs. These work perfectly well in an absolutely identical nstallation on FreeBSD...
And I can't understand what's happening. It verifies the cert, says OK. But then verifies agsin and says NOT OK. Looks like the second time temp. file it's trying to read is already removed....  or what?
OpenBSD ktrace output of #radiusd -X session is attached, hope it will help. It's in text format.
Thank you for help.

Sent from Yahoo Mail on Android
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

=?UTF-8?b?ZHVtcC50eHQ=?= (220K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: EAP-TLS local issuer cert problem

Alan DeKok-2
On Dec 21, 2020, at 1:58 PM, Kostya Berger via Freeradius-Users <[hidden email]> wrote:
>
> Hi, seems like I poorly expressed my problem in my previous message, sorry for that.
> I seem to experience a bug in the OpenBSD pkg of Freeradius 3.0.21. Server denies access to client with good certs. These work perfectly well in an absolutely identical nstallation on FreeBSD...

  It's a bug in either (a) the OpenBSD package of FreeRADIUS, or (b) libreSSL on OpenBSD.

  There really isn't much we can do to fix it.  If it works on FreeBSD and not on OpenBSD, then the problem is OpenBSD.

> And I can't understand what's happening. It verifies the cert, says OK. But then verifies agsin and says NOT OK. Looks like the second time temp. file it's trying to read is already removed....  or what?
> OpenBSD ktrace output of #radiusd -X session is attached, hope it will help. It's in text format.

  Build FreeRADIUS from source on OpenBSD.  i.e. don't use their package.  If you still see the problem, then libreSSL is broken.  If you don't see the problem, then the OpenBSD people patched FreeRADIUS and broke it.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html