Error starting radiusd when specifying private_key_password (INTERNAL)

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Error starting radiusd when specifying private_key_password (INTERNAL)

Per.Weisteen
Hi

I've installed FreeRADIUS 3.0.13 on CentOS 7 and generated my own set of CA, intermediate and server certificates using openssl version 1.0.2k-fips.
Certificates etc is generated using https://jamielinux.com/docs/openssl-certificate-authority/ modified with info from https://devcentral.f5.com/s/articles/building-an-openssl-certificate-authority-introduction-and-design-considerations-for-elliptical-curves-27720

 

I've configured mods-enabled/eap using a private_key_password with a length of 20 characters.
Starting in debug mode I get error messages :

tls: Failed reading private key file "/etc/raddb/certs/oslo-radius01v4-test.nsc.no.pem"
tls: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
tls: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error
tls: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
tls: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
tls: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
rlm_eap_tls: Failed initializing SSL context
rlm_eap (EAP): Failed to initialise rlm_eap_tls
/etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"

If I comment out the private_key_password statement I'm prompted for the password instead :

Enter PEM pass phrase:

Using the same password as specified in private_key_password the startup seems to start ok.

Any suggestions ?



 ./PerW



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error starting radiusd when specifying private_key_password (INTERNAL)

Alan DeKok-2
On Aug 21, 2020, at 10:06 AM, [hidden email] wrote:
> I've installed FreeRADIUS 3.0.13 on CentOS 7 and generated my own set of CA, intermediate and server certificates using openssl version 1.0.2k-fips.
> Certificates etc is generated using https://jamielinux.com/docs/openssl-certificate-authority/ modified with info from https://devcentral.f5.com/s/articles/building-an-openssl-certificate-authority-introduction-and-design-considerations-for-elliptical-curves-27720

  That should be fine.

>
>
> I've configured mods-enabled/eap using a private_key_password with a length of 20 characters.
> Starting in debug mode I get error messages :
>
> tls: Failed reading private key file "/etc/raddb/certs/oslo-radius01v4-test.nsc.no.pem"
> tls: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
> tls: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error
> tls: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
> tls: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
> tls: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
> rlm_eap_tls: Failed initializing SSL context
> rlm_eap (EAP): Failed to initialise rlm_eap_tls
> /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"

  Weird.  There is no limit on the length of the private_key_password.

  Are there special characters in it?  You might need to quote the password, and escape things.  i.e. instead of:

        private_key_password = abcd'def

do

        private_key_password = "abc'def"

> If I comment out the private_key_password statement I'm prompted for the password instead :
>
> Enter PEM pass phrase:
>
> Using the same password as specified in private_key_password the startup seems to start ok.
>
> Any suggestions ?

  We just read the password from the configuration file and pass it to OpenSSL.  There's very little processing done by us.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Error starting radiusd when specifying private_key_password (INTERNAL)

Per.Weisteen
In reply to this post by Per.Weisteen
Hi

Found the error.

Used keepass to store passphrase and managed to use autotype to enter passphrase when generating keys. This added some spaces in front of the passphrase itself without me noticing it.


./PerW

> -----Original Message-----
> From: Freeradius-Users <freeradius-users-
> bounces+per.weisteen=[hidden email]> On Behalf Of
> Alan DeKok
> Sent: 23. august 2020 22:49
> To: FreeRadius users mailing list <[hidden email]>
> Subject: Re: Error starting radiusd when specifying private_key_password
> (OPEN)
>
> On Aug 23, 2020, at 3:49 PM, [hidden email] wrote:
> > No special characters, just upper/lower case and numbers. Tried with
> quotes though but that didn't work any better.
>
>   That's not good.
>
> > Could I increase debug level and get some more details on the error ?
>
>   Not really.  We just take the password from the configuration file, and pass
> it directly to OpenSSL.  There's really very little which can go wrong here.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html