FreeRadius CA Validation Broken 2.4.5

strangegopher

Hey,
I am on dev snapshot and tried to create a new CA and certs for eap-tls on radius server on pfsense.

CA Validation is broken due to lack of email address field in CA generation, I am not able to do validate CA in FreeRadius Settings that require that option. I also tried manually generating CA with an email address using openssl and again due to latest openssl changes, I was not able to verify the CA as the order in which the CA fields were presented were not correct (email and common name were switched i think). Leaving email empty in freeradius settings does not work either.

Can someone else recreate this bug?

PS. even after turning off CA Validation and being able to login to my chromebook and windows laptop, I wasn't able to import the .p12/.pfx file on iOS (after manually adding a password) and android. Both platforms didn't recognize the file type. I didn't have this problem in old .p12 files in 2.4.4.

Did anything change in latest snapshots that broke certs for freeradius?

Only reason I am having all these difficulties is because I set the cert expiry to 1 year. big mistake.

Thanks.

jimp

Did you add the e-mail address as a SAN on the certificate?

We removed the email subject field in 2.4.4 because it had been deprecated for years. Current requirements say an e-mail address must be a SAN entry, not a part of the subject.

From https://tools.ietf.org/html/rfc5280#section-4.1.2.6:

Legacy implementations exist where an electronic mail address is
embedded in the subject distinguished name as an emailAddress
attribute [RFC2985]. The attribute value for emailAddress is of type
IA5String to permit inclusion of the character '@', which is not part
of the PrintableString character set. emailAddress attribute values
are not case-sensitive (e.g., "subscriber@example.com" is the same as
"SUBSCRIBER@EXAMPLE.COM").

Conforming implementations generating new certificates with
electronic mail addresses MUST use the rfc822Name in the subject
alternative name extension (Section 4.2.1.6) to describe such
identities. Simultaneous inclusion of the emailAddress attribute in
the subject distinguished name to support legacy implementations is
deprecated but permitted.

I haven't tried that with FreeRADIUS, but if that doesn't work, it needs taken upstream to FreeRADIUS and fixed there.

strangegopher

@jimp yes I added email to the certificate. I switched back to psk auth for wifi after failing to get the .p12 file to recognize on android and ios. I just wanted to document the issue here as I know most people won't be able to get eap-tls to work on mobile devices anymore, especially with CA validation.

johnpoz

@strangegopher said in FreeRadius CA Validation Broken 2.4.5:

I know most people won't be able to get eap-tls to work on mobile devices anymore

Why is that - because they removed the email that you can just add via SAN? Confused.. The email address has zero to do with eap-tls working..

Are you saying the client can not import the .p12 file? I can for sure fire up a 2.4.5 snapshot and create a CA, create a cert to see if can import it into my iphone.

Leaving email empty in freeradius settings does not work either.

So your saying freerad still looking for this - does not accept it when SAN and that is why you can not setup freerad in 2.4.5 for eap-tls

strangegopher

Sorry for being bit confusing.
I have 2 different issues.
Main issue is that I cannot import .p12 on my ios 12.0.1 or Android 9 October update. Windows or Chromebook has no issues.
Second issue is not being able to do CA validation and that is due to email address being no longer supported in the GUI. But freeradius requires email for validation, I guess that is freeradius issue.
Edit: Can a CA have email address via SAN? As far as I can see only email for certs can be added via SAN. If that is the case freeradius is not checking email field properly.

If you are going to test on iOS you need to first download the private key and cert and generate .p12 with a password.

johnpoz

Yeah I know how to do it ios ;) Been running eap-tls with freerad running on pfsense for a few years..

Have to fire up copy of pfsense on latest snap to give this a go..

edit: ok vm is booting latest 2.4.5 snap.. Will install the freerad package and see what happens.

Ok so when installed freerad it put in its own CA and server cert.. I just created a new one.. And free let me just leave the stuff not using blank.. And didn't throw any errors

johnpoz

so far dude not having any issues. Just installed cert signed by CA in my phone without any problems - nothing has any emails on it.

strangegopher

That's good that you got it to work. I am going to try again.

johnpoz

I won't be able to test it until get home.. But can install the cert, and freerad didn't complain about the CA with only putting in the CN.. Left all the other fields blank.

What openssl cmd you using to add the password?

strangegopher

@johnpoz

openssl pkcs12 -export -certfile Radius+CA.crt -in sg.crt -inkey sg.key -out sg.p12

strangegopher

@johnpoz just tested cert again, this time i didn't enter fqdn/hostname and it worked! I just wish CA validation worked.

johnpoz

Have no idea why you say it doesn't are you saying freerad throws error when you enable it - or that you can not auth?? I can not actually test until get home... But freerad doesn't have any problem with me turning on the CA and just putting in its CN.

strangegopher

It does not auth, it throws an error that the CA attributes don't match and then prints the attributes it is checking against and the attributes it sees.

johnpoz

When does it throw that error - when client actually tries and auths.

strangegopher

Mon Oct 29 15:05:57 2018 : Auth: tls: Certificate issuer (/CN=test.ma/C=CA/ST=BC/L=Delta/O=Family) does not match specified value (/C=CA/ST=BC/L=Delta/O=Family/emailAddress=admin@mycompany.com/CN=test.ma)!
Mon Oct 29 15:05:57 2018 : ERROR: (6) eap_tls: ERROR: TLS Alert write:fatal:internal error
Mon Oct 29 15:05:57 2018 : Error: tls: TLS_accept: Error in error
Mon Oct 29 15:05:57 2018 : Auth: (6) Login incorrect (Failed retrieving values required to evaluate condition): [Robin/<via Auth-Type = eap>] (from client LoudBounce port 0 cli 10-CD-B6-03-C4-96) Robin tried to connect
Mon Oct 29 15:06:07 2018 : Auth: tls: Certificate issuer (/CN=test.ma/C=CA/ST=BC/L=Delta/O=Family) does not match specified value (/C=CA/ST=BC/L=Delta/O=Family/emailAddress=admin@mycompany.com/CN=test.ma)!
Mon Oct 29 15:06:07 2018 : ERROR: (12) eap_tls: ERROR: TLS Alert write:fatal:internal error
Mon Oct 29 15:06:07 2018 : Error: tls: TLS_accept: Error in error
Mon Oct 29 15:06:07 2018 : Auth: (12) Login incorrect (Failed retrieving values required to evaluate condition): [Robin/<via Auth-Type = eap>] (from client WarPigeons port 0 cli 10-CD-B6-03-C4-96) Robin tried to connect

strangegopher

maybe empty email should not be treated as admin@mycompany.com

johnpoz

@strangegopher said in FreeRadius CA Validation Broken 2.4.5:

emailAddress=admin@mycompany.com

Yeah where did that come from?? is freerad doing that? Pfsense? Just woke up - have not had time to test yet.. Got to change my wireless to point to the new radius server, etc.

edit: Ok yeah this seems to be something with the freerad package.. .Its pulling info that is not there

Oct 30 03:10:28 	radiusd 	28048 	tls: Certificate issuer (/CN=newfreerad) does not match specified value (/C=US/ST=Texas/L=Austin/O=My Company Ltd/emailAddress=admin@mycompany.com/CN=newfreerad)! 

strangegopher

When I removed freeradius and then CA and all the certs and re-installed it, it auto generated a CA and server cert. Not 100% sure but looks a lot like info in those default certs.

johnpoz

yeah I thought I had posted the default certs... Is in the config.. Posted above - but that info doesn't match what is in the default cert created either.

Looking to see now if you man edit the conf if can be a work around.. The package needs to be adjusted to not check for stuff that is not being used.

johnpoz

Ok.. If you edit the conf directly and restart freerad it works.

Oct 30 03:24:17 	radiusd 	6180 	(12) Login OK: [testiphone245] (from client uap-pro port 0 cli D0-C5-F3-1F-EB-FF) 192.168.2.2 

Going to need to file a bug report on the freerad package.. Not sure who maintains that - but maybe @jimp can help.

Thanks for bringing this up - might have gone unnoticed.. Prob not a lot of people setting up eap-tls ;) With new certs.. I prob would fo updated and still be using my certs and ca from before... Which have all that info in there because it use to be required by the gui.. Since the certs good for like 10 years could of gone awhile before changed ;)

edit: I wonder if that gets loaded in by default on package load.. And just doesn't get overwritten when fields are left blank?