[Eisfair_dev] wieder ssl Probleme mit freeradius Zertifikaten (was: Ntop nach Base-Update mit ssl-Problem)
Stephan Manske
usenet-reply at stephan.manske-net.de
Mi Jan 2 23:21:53 CET 2013
holgerbruenjes at gmx.net (Holger Bruenjes) schrieb:
> Am 2013-01-02 03:04, schrieb User Name:
> > | /usr/local/ntop/ntop: error while loading shared libraries: libssl.so.0.9.7: cannot open shared object file: No such file or directory
>
> libssl.so.0.9.7 ist nicht mehr im Paket enthalten.
>
> Diese Version wird schon seit Jahren nicht mehr gepflegt, darum habe
> ich sie aus Sicherheitsgruenden entfernt.
> Um nun die Programme im Uebergang, bis sie neu uebersetzt sind, an
> Leben zu halten, kannst Du Dir das alte Paket von Pack-Eis runter laden.
Danke.
So dringend brauche ich ntop nicht, um mir dafür Sicherheitslücken
einzuspielen.
Nur, mit einem der letzten Updates ist wieder das certificate-Problem
mit freeradius aufgetreten :-(
Ich habe das freeradius-Paket mit den neuen Libs nochmal komplett neu
kompiliert und installiert, aber es bleibt dabei, von heute auf
morgen werden die Certificate nicht mehr akzeptiert :-(
(/usr/sbin)# ldd radiusd
linux-gate.so.1 => (0xffffe000)
libfreeradius-radius-2.2.0.so => /usr/lib/libfreeradius-radius-2.2.0.so (0xb7797000)
libnsl.so.1 => /lib/libnsl.so.1 (0xb7781000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb776f000)
libpthread.so.0 => /lib/libpthread.so.0 (0xb7758000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7726000)
libltdl.so.3 => /usr/lib/libltdl.so.3 (0xb771f000)
libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0xb76cb000)
libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0xb7565000)
libdl.so.2 => /lib/libdl.so.2 (0xb7561000)
libc.so.6 => /lib/libc.so.6 (0xb7431000)
/lib/ld-linux.so.2 (0xb77c2000)
libz.so.1 => /usr/lib/libz.so.1 (0xb741d000)
(/usr/lib)# ldd libfreeradius-radius-2.2.0.so
linux-gate.so.1 => (0xffffe000)
libc.so.6 => /lib/libc.so.6 (0xb766a000)
/lib/ld-linux.so.2 (0xb77c5000)
(/usr/lib)# ldd libfreeradius-eap-2.2.0.so
linux-gate.so.1 => (0xffffe000)
libfreeradius-radius-2.2.0.so => /usr/lib/libfreeradius-radius-2.2.0.so (0xb7710000)
libnsl.so.1 => /lib/libnsl.so.1 (0xb76fa000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb76e8000)
libpthread.so.0 => /lib/libpthread.so.0 (0xb76d1000)
libc.so.6 => /lib/libc.so.6 (0xb75a1000)
/lib/ld-linux.so.2 (0xb7744000)
und hier der passend(?) gekürzte debug-output:
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.x.x port 2049, id=2, length=141
User-Name = "User Name"
NAS-IP-Address = 192.168.x.x
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "User Name", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry User Name at line 8
[files] expand: Hello, %{User-Name} -> Hello, User Name
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.x.x port 2049
Reply-Message = "Hello, User Name"
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000xx
State = 0x7d1f9f227c1d92c8e39xxxxxxxxx
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.x.x port 2049, id=2, length=227
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry User Name at line 8
[files] expand: Hello, %{User-Name} -> Hello, User Name
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 77
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0048], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 08bb], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00b8], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 77
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0048], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 08bb], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00b8], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.x.x port 2049
Reply-Message = "Hello, User Name"
EAP-Message = 0x010304000dc0000009b316030100310200002d030150e4ae0ed21d8
EAP-Message = 0x3017060355040313104d616e736b6520526164697573204341301e1
EAP-Message = 0xce7ab5f8c7edc84656371d677436108b21313e1ea308f55566b8684
EAP-Message = 0x25040c300a06082b06010505070301300d06092a864886f70d01010
EAP-Message = 0xb12f24c809d9d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7d1f9f227f1c92c8e3xxxxxx
Finished request 2.
Going to the next request
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Sending Access-Challenge of id 2 to 192.168.x.x port 2049
Reply-Message = "Hello, User Name"
EAP-Message = 0x010404000dc0000009b3301
EAP-Message = 0x3130323136313231325a17:
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.x.x port 2049
Reply-Message = "Hello, User Name"
EAP-Message = 0x010404000dc0000009bxxxxxx
EAP-Message = 0xfdf4cec951566e50d17
EAP-Message = 0xca21c0f495c75a3a13d
EAP-Message = 0x01ff300d06092a86488
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7d1f9f227e1b92c8e39
Finished request 3.
Going to the next request
usw.
und hier scheint es spannend zu werden:
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 03de], Certificate
[tls] chain-depth=1,
[tls] error=0
[tls] --> User-Name = User Name
[tls] --> BUF-Name = Radius CA
[tls] --> subject = /C=DE/ST=Somewhere/L=Somewhere/O=Manske EIS/OU=Radius_Managment/emailAddress=radius at xxxx
[tls] --> issuer = /C=DE/ST=Somewhere/L=Somewhere/O=Manske EIS/OU=Radius_Managment/emailAddress=radius at xxxx
[tls] --> verify return:1
--> verify error:num=7:certificate signature failure
[tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert write:fatal:decrypt error
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (certificate signature failure): [User Name/<via Auth-Type = EAP>] (from client xxxx
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> User Name
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 2 seconds
Going to the next request
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 2 to 192.168.x.x port 2049
Ciao, Stephan
--
E-Mail: stephan at manske-net.de - WWW: http://stephan.manske-net.de/ //
PGP 2.6.3i \X/
ALITALIA: Arrival Late In Thunis - All Luggage in Athens
Mehr Informationen über die Mailingliste Eisfair_dev