Modify

Opened 11 years ago

Closed 11 years ago

Last modified 4 years ago

#1182 closed defect (fixed)

Recent openssl patch causes problems

Reported by: netprince (at) vt (dot) edu Owned by: nico
Priority: high Milestone: Barrier Breaker 14.07
Component: packages Version:
Keywords: openssl Cc:

Description

The following patch causes freeradius to not be able to read my certificates. Also, I can no longer generate certificates on the router.

/changeset/5606.html

After compiling my own firmware without the patch, everything works great.

I recommend either removing the patch, or creating a second openssl package which is larger, but contains the missing functionality.

Attachments (1)

openwrt-packages-openssl-0.9.8d-3-zlib.patch (786 bytes) - added by zandbelt 11 years ago.

Download all attachments as: .zip

Change History (15)

comment:1 Changed 11 years ago by nico

  • Owner changed from developers to nico
  • Status changed from new to assigned

Can you check the openssl packages in my download directory below?

http://downloads.openwrt.org/people/nico/whiterussian/

They have been rebuilt with the ASN.1 routines back in.

comment:2 Changed 11 years ago by netprince (at) vt (dot) edu

Freeradius still wont initialize using your new packages, here is the error message:

Sat Jan 20 22:17:44 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain
Sat Jan 20 22:17:44 2007 : Error: rlm_eap: SSL error error:2507006C:lib(37):func(112):reason(108)
Sat Jan 20 22:17:44 2007 : Error: rlm_eap_tls: Error reading certificate file
Sat Jan 20 22:17:44 2007 : Error: rlm_eap: Failed to initialize type tls
Sat Jan 20 22:17:44 2007 : Error: radiusd.conf[9]: eap: Module instantiation failed.
Sat Jan 20 22:17:44 2007 : Error: radiusd.conf[1735] Unknown module "eap".
Sat Jan 20 22:17:44 2007 : Error: radiusd.conf[1682] Failed to parse authenticate section.

Sorry for the delay, I'll watch this ticket closer now...

comment:3 Changed 11 years ago by nbd

  • Milestone changed from 0.9/rc6 to Kamikaze

comment:4 Changed 11 years ago by nico

  • Resolution set to fixed
  • Status changed from assigned to closed

Should be fixed in [6706]

comment:5 Changed 11 years ago by zandbelt

  • Resolution fixed deleted
  • Status changed from closed to reopened

this does not seem to be fixed: when running a (custom) executable that reads certificates using OpenSSL on whiterussian, it exits with the following error:

error:25066067:lib(37):func(102):reason(103)

and

error:25070067:lib(37):func(112):reason(103)

this is true for both releases 0.9.8d-1 and 0.9.8.d-2. The original reporter of the patch cannot comment on using the patch with Freeradius, since he uses a custom compiled version now.

I have done some testing and it appears that _not_ the dso flag is the culprit, but the zlib-dynamic flag is instead. When using the plain "zlib" flag, the errors have disappeared (unaffected by the dso/no-dso setting).

I have attached a patch.

comment:6 Changed 11 years ago by zandbelt

BTW: nico, where did you get the (correct) hint that it was zlib related (according to the comments that went with the patch) ?

Changed 11 years ago by zandbelt

comment:7 Changed 11 years ago by Mulder

The openssl Makefile patch works like a charm. Cheers :)

comment:8 Changed 11 years ago by public at mjh dot name

I want to confirm that the problem exists in Kamikaze 7.07, and that it is fixed by zandbelt's patch from march.

If you want to test, here are the packages I built with the patch applied:
http://mjh.name/files/kamikaze_packages/openssl-util_0.9.8e-3_mipsel.ipk
http://mjh.name/files/kamikaze_packages/libopenssl_0.9.8e-3_mipsel.ipk
alternatively:
https://mjh.name/files/kamikaze_packages/openssl-util_0.9.8e-3_mipsel.ipk
https://mjh.name/files/kamikaze_packages/libopenssl_0.9.8e-3_mipsel.ipk

Regards,
Milan

comment:9 Changed 11 years ago by pavlov

  • Resolution set to fixed
  • Status changed from reopened to closed

should be resolved in changeset:8285

comment:10 Changed 11 years ago by nico

The zlib-dynamic issue should definitively be fixed in [8299].

comment:11 Changed 11 years ago by nico

Steps to reproduce (without /usr/lib/libz.so):

# openssl ocsp
OCSP utility
Usage ocsp [options]
...
2685:error:25066067:lib(37):func(102):reason(103):NA:0:filename(libz.so): File not found
2685:error:25070067:lib(37):func(112):reason(103):NA:0:

comment:12 Changed 10 years ago by salimsaay

Hi, i have a problem, with compiling my new file, please some one help me,

i modifyed the freeradius-1.0.5(raddb, src), and from wpa_supplicant(eap_tls, wpa_supplicant, eap.c)i have the patch of this packages, i have openwrt rc5, also i have trunk image builder.

how i can apply the patch, of them to rc5 or trunk. because i want to compile this new edited packages.

best regards.

comment:13 Changed 9 years ago by jake1981 <oskari.rauta@…>

This has not been fixed (kamikaze 8.09 and trunk)

rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = no
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "/etc/freeradius/certs-new/masterCA"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/freeradius/certs-new/master_cert.pem"
 tls: certificate_file = "/etc/freeradius/certs-new/master_cert.pem"
 tls: CA_file = "/etc/freeradius/certs-new/masterCA/cacert.pem"
 tls: private_key_password = "password"
 tls: dh_file = "(null)"
 tls: random_file = "(null)"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
 tls: cipher_list = "(null)"
 tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: SSL error error:0906D06C:lib(9):func(109):reason(108)
rlm_eap_tls: Error reading private key file
rlm_eap: Failed to initialize type tls
radiusd.conf[1]: eap: Module instantiation failed. 
radiusd.conf[124] Unknown module "eap".
radiusd.conf[118] Failed to parse authenticate section. 
root@Gateway:/etc/freeradius#

comment:14 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.