Bug #9082
closed
freeradius eap-tls CA validation trying to use fields that may not exist
100%
Description
This issue is reproduced in this thread: https://forum.netgate.com/topic/137168/freeradius-ca-validation-broken-2-4-5
Email subject field was removed from CA creation as it was deprecated from the spec.
No email address present when creating CA in pfsense, causes freeradius to fail cert validation as it requires that field.
If no email is present it falls back to filling in default email address.
This is also true for any field that is left blank in check cert issuer settings.
Here are my settings:
Here is the error I am getting when trying to validate the CA without email address.
Mon Oct 29 15:05:57 2018 : Auth: tls: Certificate issuer (/CN=test.ma/C=CA/ST=BC/L=Delta/O=Family) does not match specified value (/C=CA/ST=BC/L=Delta/O=Family/emailAddress=admin@mycompany.com/CN=test.ma)!
Mon Oct 29 15:05:57 2018 : ERROR: (6) eap_tls: ERROR: TLS Alert write:fatal:internal error
Mon Oct 29 15:05:57 2018 : Error: tls: TLS_accept: Error in error
Mon Oct 29 15:05:57 2018 : Auth: (6) Login incorrect (Failed retrieving values required to evaluate condition): [Robin/<via Auth-Type = eap>] (from client LoudBounce port 0 cli 10-CD-B6-03-C4-96) Robin tried to connect
Mon Oct 29 15:06:07 2018 : Auth: tls: Certificate issuer (/CN=test.ma/C=CA/ST=BC/L=Delta/O=Family) does not match specified value (/C=CA/ST=BC/L=Delta/O=Family/emailAddress=admin@mycompany.com/CN=test.ma)!
Mon Oct 29 15:06:07 2018 : ERROR: (12) eap_tls: ERROR: TLS Alert write:fatal:internal error
Mon Oct 29 15:06:07 2018 : Error: tls: TLS_accept: Error in error
Mon Oct 29 15:06:07 2018 : Auth: (12) Login incorrect (Failed retrieving values required to evaluate condition): [Robin/<via Auth-Type = eap>] (from client WarPigeons port 0 cli 10-CD-B6-03-C4-96) Robin tried to connect
Files
Updated by Jim Pingle about 6 years ago
- Status changed from New to Feedback
Fixed in pkg version 0.15.6.
Fields left blank will not be added to the subject to validate.
If someone was relying on the old bogus default field data they can fill that in by hand to match the CA like everyone else.
Also, I removed deprecated and unnecessary fields from the default generated temp CA.
Updated by rub man about 6 years ago
Seems like the order in which cert fields are presented is also an issue. Still getting error despite matching exactly.
My guess is moving CN field to the end or not caring for order in which subject fields are presented should fix the issue.
ErrorAuth: tls: Certificate issuer (/CN=test.ma/C=CA/ST=BC/L=Delta/O=Family) does not match specified value (/C=CA/ST=BC/L=Delta/O=Family/CN=test.ma/)!
Updated by frederic lubrano about 6 years ago
it's in the right order :
Auth: tls: Certificate issuer (/C=FR/ST=Ain/L=Jassans-Riottier/O=pfvpn/emailAddress=fred@fred.fr/CN=caioc.pfvpn.io) does not match specified value (/C=FR/ST=Ain/L=Jassans-Riottier/O=pfvpn/emailAddress=fred@fred.fr/CN=caioc.pfvpn.io/)!
ERROR: (21) eap_tls: ERROR: TLS Alert write:fatal:internal error
Updated by Jim Pingle about 6 years ago
- Status changed from Feedback to In Progress
Looks like the config shouldn't put a trailing / on the subject.
Though the more I think about it, I wonder why these fields are needed at all. It should just copy the subject out of the selected SSL CA Certificate and be done with it.
Is there any compelling reason to specify it manually? Seems redundant to me.
I'm going to rip all this out and make it work like this:
- Remove all the various fields to set the subject components
- Add a new field to manually specify a complete subject
- If that field is blank, it will automatically use the subject of the chosen CA cert, which is almost certainly what the user wants, and will always be in the correct order and have the correct components.
Updated by Jim Pingle about 6 years ago
- Status changed from In Progress to Feedback
Fixed in pkg version 0.15.7
Updated by Jim Pingle about 6 years ago
- Status changed from Feedback to Resolved
- Assignee set to Jim Pingle
- Target version deleted (
48) - % Done changed from 0 to 100