Project

General

Profile

Actions

Bug #9082

closed

freeradius eap-tls CA validation trying to use fields that may not exist

Added by rub man over 5 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
FreeRADIUS
Target version:
-
Start date:
10/30/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
2.4.5
Affected Plus Version:
Affected Architecture:
amd64

Description

This issue is reproduced in this thread: https://forum.netgate.com/topic/137168/freeradius-ca-validation-broken-2-4-5

Email subject field was removed from CA creation as it was deprecated from the spec.
No email address present when creating CA in pfsense, causes freeradius to fail cert validation as it requires that field.
If no email is present it falls back to filling in default email address.
This is also true for any field that is left blank in check cert issuer settings.

Here are my settings:

Here is the error I am getting when trying to validate the CA without email address.

Mon Oct 29 15:05:57 2018 : Auth: tls: Certificate issuer (/CN=test.ma/C=CA/ST=BC/L=Delta/O=Family) does not match specified value (/C=CA/ST=BC/L=Delta/O=Family/emailAddress=admin@mycompany.com/CN=test.ma)!
Mon Oct 29 15:05:57 2018 : ERROR: (6) eap_tls: ERROR: TLS Alert write:fatal:internal error
Mon Oct 29 15:05:57 2018 : Error: tls: TLS_accept: Error in error
Mon Oct 29 15:05:57 2018 : Auth: (6) Login incorrect (Failed retrieving values required to evaluate condition): [Robin/<via Auth-Type = eap>] (from client LoudBounce port 0 cli 10-CD-B6-03-C4-96) Robin tried to connect
Mon Oct 29 15:06:07 2018 : Auth: tls: Certificate issuer (/CN=test.ma/C=CA/ST=BC/L=Delta/O=Family) does not match specified value (/C=CA/ST=BC/L=Delta/O=Family/emailAddress=admin@mycompany.com/CN=test.ma)!
Mon Oct 29 15:06:07 2018 : ERROR: (12) eap_tls: ERROR: TLS Alert write:fatal:internal error
Mon Oct 29 15:06:07 2018 : Error: tls: TLS_accept: Error in error
Mon Oct 29 15:06:07 2018 : Auth: (12) Login incorrect (Failed retrieving values required to evaluate condition): [Robin/<via Auth-Type = eap>] (from client WarPigeons port 0 cli 10-CD-B6-03-C4-96) Robin tried to connect

Files

1540850903303-annotation.png (84.3 KB) 1540850903303-annotation.png rub man, 10/30/2018 10:03 PM
Actions #1

Updated by Jim Pingle over 5 years ago

  • Status changed from New to Feedback

Fixed in pkg version 0.15.6.

Fields left blank will not be added to the subject to validate.

If someone was relying on the old bogus default field data they can fill that in by hand to match the CA like everyone else.

Also, I removed deprecated and unnecessary fields from the default generated temp CA.

Actions #2

Updated by rub man over 5 years ago

Seems like the order in which cert fields are presented is also an issue. Still getting error despite matching exactly.

My guess is moving CN field to the end or not caring for order in which subject fields are presented should fix the issue.

Error
Auth: tls: Certificate issuer (/CN=test.ma/C=CA/ST=BC/L=Delta/O=Family) does not match specified value (/C=CA/ST=BC/L=Delta/O=Family/CN=test.ma/)!

Actions #3

Updated by frederic lubrano over 5 years ago

it's in the right order :

Auth: tls: Certificate issuer (/C=FR/ST=Ain/L=Jassans-Riottier/O=pfvpn/emailAddress=/CN=caioc.pfvpn.io) does not match specified value (/C=FR/ST=Ain/L=Jassans-Riottier/O=pfvpn/emailAddress=/CN=caioc.pfvpn.io/)!
ERROR: (21) eap_tls: ERROR: TLS Alert write:fatal:internal error

Actions #4

Updated by Jim Pingle over 5 years ago

  • Status changed from Feedback to In Progress

Looks like the config shouldn't put a trailing / on the subject.

Though the more I think about it, I wonder why these fields are needed at all. It should just copy the subject out of the selected SSL CA Certificate and be done with it.

Is there any compelling reason to specify it manually? Seems redundant to me.

I'm going to rip all this out and make it work like this:

  • Remove all the various fields to set the subject components
  • Add a new field to manually specify a complete subject
  • If that field is blank, it will automatically use the subject of the chosen CA cert, which is almost certainly what the user wants, and will always be in the correct order and have the correct components.
Actions #5

Updated by Jim Pingle over 5 years ago

  • Status changed from In Progress to Feedback

Fixed in pkg version 0.15.7

Actions #6

Updated by rub man over 5 years ago

can confirm. it is working.

Actions #7

Updated by Jim Pingle over 5 years ago

  • Status changed from Feedback to Resolved
  • Assignee set to Jim Pingle
  • Target version deleted (48)
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF