TLS error 'Failed in proxy receive'

classic Classic list List threaded Threaded
8 messages Options
| Threaded
Open this post in threaded view
|

TLS error 'Failed in proxy receive'

Users mailing list
Hello Guys,

I started seeing below errors related to TLS.

```
Fri Aug 23 09:57:32 2019 : Error: tls: Failed in proxy receive
Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
```

Any suggestion on this will really help.

Thanks & Regards,
Nitin Sharma    
   


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: TLS error 'Failed in proxy receive'

Alan DeKok-2
On Aug 23, 2019, at 6:18 AM, Sharma, Nitin via Freeradius-Users <[hidden email]> wrote:

  Please don't CC me on messages to the list.  In case you hadn't noticed, I *am* subscribed to the list.

> I started seeing below errors related to TLS.

  So... what changed?  Software doesn't magically change it's behaviour.

  And what versions are you running?  i.e. FreeRADIUS, OpenSSL, etc.

> ```
> Fri Aug 23 09:57:32 2019 : Error: tls: Failed in proxy receive
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> ```
>
> Any suggestion on this will really help.

  Upgrade OpenSSL to a version that isn't broken.

  There's a commit in OpenSSL from 2016 that fixes this issue.

https://github.com/openssl/openssl/commit/64193c8218540499984cd63cda41f3cd491f3f59

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: TLS error 'Failed in proxy receive'

Users mailing list
Hello Alan,

Thanks for the response.
I am running latest version of OpenSSL and radius version is 3.0.19.

openssl-1.0.2k-16.amzn2.1.1.x86_64
freeradius-3.0.19-2.amzn2.x86_64

Thanks & Regards,
Nitin Sharma

On 23/08/19, 4:57 PM, "Freeradius-Users on behalf of Alan DeKok" <freeradius-users-bounces+shaniti=[hidden email] on behalf of [hidden email]> wrote:

    On Aug 23, 2019, at 6:18 AM, Sharma, Nitin via Freeradius-Users <[hidden email]> wrote:
   
      Please don't CC me on messages to the list.  In case you hadn't noticed, I *am* subscribed to the list.
   
    > I started seeing below errors related to TLS.
   
      So... what changed?  Software doesn't magically change it's behaviour.
   
      And what versions are you running?  i.e. FreeRADIUS, OpenSSL, etc.
   
    > ```
    > Fri Aug 23 09:57:32 2019 : Error: tls: Failed in proxy receive
    > Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
    > Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    > Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    > Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
    > Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    > Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    > Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
    > Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    > Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    > Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
    > Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    > Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
    > ```
    >
    > Any suggestion on this will really help.
   
      Upgrade OpenSSL to a version that isn't broken.
   
      There's a commit in OpenSSL from 2016 that fixes this issue.
   
    https://github.com/openssl/openssl/commit/64193c8218540499984cd63cda41f3cd491f3f59
   
      Alan DeKok.
   
   
    -
    List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: TLS error 'Failed in proxy receive'

arr2036


> On Sep 26, 2019, at 2:19 AM, Sharma, Nitin via Freeradius-Users <[hidden email]> wrote:
>
> Hello Alan,
>
> Thanks for the response.
> I am running latest version of OpenSSL and radius version is 3.0.19.
>
> openssl-1.0.2k-16.amzn2.1.1.x86_64

The latest version of OpenSSL 1.1.1d.  The latest version of OpenSSL in the 1.0.2 series is now OpenSSL 1.0.2t.

-Arran


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (849 bytes) Download Attachment
| Threaded
Open this post in threaded view
|

Re: TLS error 'Failed in proxy receive'

Users mailing list
Hello Arran,

Thanks for the response. We are seeing these error only when we are adding below virtual server detail.

```
listen {
          ipaddr = *
          port = 2083
                type = auth+acct
    proto = tcp
    virtual_server = default
  clients = radsec
   limit {
           max_connections = 0
           lifetime = 0
           idle_timeout = 300
   }
   tls {
         private_key_file = ${certdir}/server.pem
         certificate_file = ${certdir}/server.crt
         ca_file = ${cadir}/CA_list.pem
         dh_file = ${certdir}/dh
         fragment_size = 8192
         ca_path = ${cadir}
         cipher_list = "DEFAULT"
     cache {
             enable = no
             lifetime = 24
            max_entries = 255
     }
     require_client_cert = yes

     verify {
     }
   }
}
clients radsec {
   client ALL {
                 ipaddr = 0.0.0.0
                 proto = tls
                 secret = <MASKED>
   }
}
```

Not sure what wrong with this config.

Thanks & Regards,
Nitin Sharma

On 26/09/19, 8:39 PM, "Arran Cudbard-Bell" <[hidden email]> wrote:

   
   
    > On Sep 26, 2019, at 2:19 AM, Sharma, Nitin via Freeradius-Users <[hidden email]> wrote:
    >
    > Hello Alan,
    >
    > Thanks for the response.
    > I am running latest version of OpenSSL and radius version is 3.0.19.
    >
    > openssl-1.0.2k-16.amzn2.1.1.x86_64
   
    The latest version of OpenSSL 1.1.1d.  The latest version of OpenSSL in the 1.0.2 series is now OpenSSL 1.0.2t.
   
    -Arran
   
   


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: TLS error 'Failed in proxy receive'

Alan Buxey
In reply to this post by Users mailing list
hi,

have you stripped the secret from your private key ? I see no call for
the private key passphrase in your config)

I think this is some nice protocol mismatch going on - SSLv2 being
negotiated when v3 expected or somesuch.

I would suggest running in higher debug mode to see whats going on on
that connection but maybe use
a tighter CIPHER_LIST to avoid old methods anyway - "HIGH"  is a good
starting point if you have control over clients.

alan

On Fri, 23 Aug 2019 at 11:20, Sharma, Nitin via Freeradius-Users
<[hidden email]> wrote:

>
> Hello Guys,
>
> I started seeing below errors related to TLS.
>
> ```
> Fri Aug 23 09:57:32 2019 : Error: tls: Failed in proxy receive
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140F3042:SSL routines:ssl_undefined_const_function:called a function you should not call
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> Fri Aug 23 09:57:32 2019 : Error: tls: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> ```
>
> Any suggestion on this will really help.
>
> Thanks & Regards,
> Nitin Sharma
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: TLS error 'Failed in proxy receive'

Nitin Sharma
In reply to this post by Users mailing list
Can somebody please help with this issue ?

Thanks ,
Nitin

On Fri, 27 Sep 2019 at 13:04, Sharma, Nitin via Freeradius-Users <
[hidden email]> wrote:

> Hello Arran,
>
> Thanks for the response. We are seeing these error only when we are adding
> below virtual server detail.
>
> ```
> listen {
>           ipaddr = *
>           port = 2083
>                 type = auth+acct
>          proto = tcp
>          virtual_server = default
>          clients = radsec
>    limit {
>            max_connections = 0
>            lifetime = 0
>            idle_timeout = 300
>    }
>    tls {
>          private_key_file = ${certdir}/server.pem
>          certificate_file = ${certdir}/server.crt
>          ca_file = ${cadir}/CA_list.pem
>          dh_file = ${certdir}/dh
>          fragment_size = 8192
>          ca_path = ${cadir}
>          cipher_list = "DEFAULT"
>      cache {
>              enable = no
>              lifetime = 24
>             max_entries = 255
>      }
>      require_client_cert = yes
>
>      verify {
>      }
>    }
> }
> clients radsec {
>    client ALL {
>                  ipaddr = 0.0.0.0
>                  proto = tls
>                  secret = <MASKED>
>    }
> }
> ```
>
> Not sure what wrong with this config.
>
> Thanks & Regards,
> Nitin Sharma
>
> On 26/09/19, 8:39 PM, "Arran Cudbard-Bell" <[hidden email]>
> wrote:
>
>
>
>     > On Sep 26, 2019, at 2:19 AM, Sharma, Nitin via Freeradius-Users <
> [hidden email]> wrote:
>     >
>     > Hello Alan,
>     >
>     > Thanks for the response.
>     > I am running latest version of OpenSSL and radius version is 3.0.19.
>     >
>     > openssl-1.0.2k-16.amzn2.1.1.x86_64
>
>     The latest version of OpenSSL 1.1.1d.  The latest version of OpenSSL
> in the 1.0.2 series is now OpenSSL 1.0.2t.
>
>     -Arran
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: TLS error 'Failed in proxy receive'

Alan DeKok-2
On Oct 1, 2019, at 8:28 AM, Nitin Sharma <[hidden email]> wrote:
>
> Can somebody please help with this issue ?

  We tried.

  The configuration is fine.  You're using a version of OpenSSL which is broken.

  Use the latest OpenSSL.  Use the latest FreeRADIUS.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html