RE: Error starting radiusd when specifying private_key_password (OPEN)

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

RE: Error starting radiusd when specifying private_key_password (OPEN)

Per.Weisteen

Hi Alan and thanks for your response.


> -----Original Message-----
> From: Freeradius-Users <freeradius-users-
> bounces+per.weisteen=[hidden email]> On Behalf Of
> Alan DeKok
> Sent: 21. august 2020 17:30
> To: FreeRadius users mailing list <[hidden email]>
> Subject: Re: Error starting radiusd when specifying private_key_password
> (INTERNAL)
>
> On Aug 21, 2020, at 10:06 AM, [hidden email] wrote:
> > I've installed FreeRADIUS 3.0.13 on CentOS 7 and generated my own set of
> CA, intermediate and server certificates using openssl version 1.0.2k-fips.
> > Certificates etc is generated using
> > https://jamielinux.com/docs/openssl-certificate-authority/ modified
> > with info from
> > https://devcentral.f5.com/s/articles/building-an-openssl-certificate-a
> > uthority-introduction-and-design-considerations-for-elliptical-curves-
> > 27720
>
>   That should be fine.
>
> >
> >
> > I've configured mods-enabled/eap using a private_key_password with a
> length of 20 characters.
> > Starting in debug mode I get error messages :
> >
> > tls: Failed reading private key file "/etc/raddb/certs/oslo-radius01v4-
> test.nsc.no.pem"
> > tls: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
> > decrypt
> > tls: error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12
> > cipherfinal error
> > tls: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe
> > crypt error
> > tls: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
> > tls: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
> > rlm_eap_tls: Failed initializing SSL context rlm_eap (EAP): Failed to
> > initialise rlm_eap_tls
> > /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"
>
>   Weird.  There is no limit on the length of the private_key_password.
>
>   Are there special characters in it?  You might need to quote the password,
> and escape things.  i.e. instead of:
>
> private_key_password = abcd'def
>
> do
>
> private_key_password = "abc'def"
>

No special characters, just upper/lower case and numbers. Tried with quotes though but that didn't work any better.

Could I increase debug level and get some more details on the error ?



> > If I comment out the private_key_password statement I'm prompted for
> the password instead :
> >
> > Enter PEM pass phrase:
> >
> > Using the same password as specified in private_key_password the startup
> seems to start ok.
> >
> > Any suggestions ?
>
>   We just read the password from the configuration file and pass it to
> OpenSSL.  There's very little processing done by us.
>
>   Alan DeKok.
>

Per Weisteen


>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Error starting radiusd when specifying private_key_password (OPEN)

Alan DeKok-2
On Aug 23, 2020, at 3:49 PM, [hidden email] wrote:
> No special characters, just upper/lower case and numbers. Tried with quotes though but that didn't work any better.

  That's not good.

> Could I increase debug level and get some more details on the error ?

  Not really.  We just take the password from the configuration file, and pass it directly to OpenSSL.  There's really very little which can go wrong here.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html