FreeRadius CA Validation Broken 2.4.5

strangegopher

@johnpoz

openssl pkcs12 -export -certfile Radius+CA.crt -in sg.crt -inkey sg.key -out sg.p12

strangegopher

@johnpoz just tested cert again, this time i didn't enter fqdn/hostname and it worked! I just wish CA validation worked.

johnpoz

Have no idea why you say it doesn't are you saying freerad throws error when you enable it - or that you can not auth?? I can not actually test until get home... But freerad doesn't have any problem with me turning on the CA and just putting in its CN.

strangegopher

It does not auth, it throws an error that the CA attributes don't match and then prints the attributes it is checking against and the attributes it sees.

johnpoz

When does it throw that error - when client actually tries and auths.

strangegopher

Mon Oct 29 15:05:57 2018 : Auth: tls: Certificate issuer (/CN=test.ma/C=CA/ST=BC/L=Delta/O=Family) does not match specified value (/C=CA/ST=BC/L=Delta/O=Family/emailAddress=admin@mycompany.com/CN=test.ma)!
Mon Oct 29 15:05:57 2018 : ERROR: (6) eap_tls: ERROR: TLS Alert write:fatal:internal error
Mon Oct 29 15:05:57 2018 : Error: tls: TLS_accept: Error in error
Mon Oct 29 15:05:57 2018 : Auth: (6) Login incorrect (Failed retrieving values required to evaluate condition): [Robin/<via Auth-Type = eap>] (from client LoudBounce port 0 cli 10-CD-B6-03-C4-96) Robin tried to connect
Mon Oct 29 15:06:07 2018 : Auth: tls: Certificate issuer (/CN=test.ma/C=CA/ST=BC/L=Delta/O=Family) does not match specified value (/C=CA/ST=BC/L=Delta/O=Family/emailAddress=admin@mycompany.com/CN=test.ma)!
Mon Oct 29 15:06:07 2018 : ERROR: (12) eap_tls: ERROR: TLS Alert write:fatal:internal error
Mon Oct 29 15:06:07 2018 : Error: tls: TLS_accept: Error in error
Mon Oct 29 15:06:07 2018 : Auth: (12) Login incorrect (Failed retrieving values required to evaluate condition): [Robin/<via Auth-Type = eap>] (from client WarPigeons port 0 cli 10-CD-B6-03-C4-96) Robin tried to connect

strangegopher

maybe empty email should not be treated as admin@mycompany.com

johnpoz

@strangegopher said in FreeRadius CA Validation Broken 2.4.5:

emailAddress=admin@mycompany.com

Yeah where did that come from?? is freerad doing that? Pfsense? Just woke up - have not had time to test yet.. Got to change my wireless to point to the new radius server, etc.

edit: Ok yeah this seems to be something with the freerad package.. .Its pulling info that is not there

Oct 30 03:10:28 	radiusd 	28048 	tls: Certificate issuer (/CN=newfreerad) does not match specified value (/C=US/ST=Texas/L=Austin/O=My Company Ltd/emailAddress=admin@mycompany.com/CN=newfreerad)! 

strangegopher

When I removed freeradius and then CA and all the certs and re-installed it, it auto generated a CA and server cert. Not 100% sure but looks a lot like info in those default certs.

johnpoz

yeah I thought I had posted the default certs... Is in the config.. Posted above - but that info doesn't match what is in the default cert created either.

Looking to see now if you man edit the conf if can be a work around.. The package needs to be adjusted to not check for stuff that is not being used.

johnpoz

Ok.. If you edit the conf directly and restart freerad it works.

Oct 30 03:24:17 	radiusd 	6180 	(12) Login OK: [testiphone245] (from client uap-pro port 0 cli D0-C5-F3-1F-EB-FF) 192.168.2.2 

Going to need to file a bug report on the freerad package.. Not sure who maintains that - but maybe @jimp can help.

Thanks for bringing this up - might have gone unnoticed.. Prob not a lot of people setting up eap-tls ;) With new certs.. I prob would fo updated and still be using my certs and ca from before... Which have all that info in there because it use to be required by the gui.. Since the certs good for like 10 years could of gone awhile before changed ;)

edit: I wonder if that gets loaded in by default on package load.. And just doesn't get overwritten when fields are left blank?

strangegopher

I think that the values are hardcoded in. I tried entering email and then removing the email with same results.

Do you want me to make a bug report or do you want to do it?

johnpoz

There might already be a report of this? Have not had time to check yet. Also be nice if @jimp could chime in on his thoughts on this.. Not sure if he is the specific developer for freerad package - but for sure his insight would be very useful.

But sure go for submitting report - reference this thread for sure.. I also want to take a look at the code for the freerad package.. Might be able to spot where the problem is - that is always helpful in the report. etc.

jimp

It isn't hardcoded but it's trying to use fields that may not exist:

freeradius.inc:1258:		$vareapconfcheckcertissuer = "check_cert_issuer = " . '"' . "/C={$vareapconfcountry}/ST={$vareapconfstate}/L={$vareapconfcity}/O={$vareapconforganization}/emailAddress={$vareapconfemail}/CN={$vareapconfcommonname}" . '"';

Shouldn't be too hard to fix, but does need an issue to track it in Redmine.

strangegopher

Issue created
https://redmine.pfsense.org/issues/9082

jimp

This should be much better now. Give it another try.

strangegopher

@jimp thanks for the fix. It works now.