plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

[os-freeradius] - Option "secp521r1" is missing and suggestions to improve the informational message

Open EdwinKM opened this issue 3 years ago • 0 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

[x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new. [x] The title contains the plugin to which this issue belongs

Describe the bug If i create Elliptic certs with Curve "secp384r1" AND i set "Elliptic Curve" in "Services: FreeRADIUS: EAP" to type "prime256v1" i can not use my keypair.

The same results if i create a keypair with "secp512r1" because in the "Services: FreeRADIUS: EAP" screen this value is missing. But if i select "secp384r1" it also does not work. It should probably be added? I changed "/usr/local/etc/raddb/mods-enabled/eap" manually and it worked after this fix.

The confusing part for new users is:

  • If i create RSA certs i can use whatever value for "Elliptic Curve" in the "Services: FreeRADIUS: EAP" screen. Probably not used at all in this case?
  • If i create "Elliptic Curve" certs than the value in this screen must match.

It is not directly clear that this is the case. Recommend to change the information massage from "Set the Elliptical cryptography configuration." to something like "Only applies if using certificates of type Elliptical Curve. Make sure this value and the Curve value of the certificate matches."

To Reproduce Steps to reproduce:

Create a CA:

System -> Trust -> Authorities Descriptive name: ELLIPCTIC_521 Method: Create an internal Certificate Authority Key Type: Elliptic Curve Curve: secp521r1 Digest Algorithm: SHA256 Country Code: AD (Andorra) State or Province: State City: City Organization: RADIUS Email Address: [email protected] Common Name: internal-ca

Server: Method: Create an internal Certificate Descriptive name: ELLIPCTIC_521 Server Certificate Certificate authority: ELLIPCTIC_521 Type: Server Certificate Key Type: Elliptic Curve Curve: secp521r1 Digest Algorithm: SHA256 Lifetime (days): 397 Private key location: Save on this Firewall Common Name: internal-ca

Client: Method: Create an internal Certificate Descriptive name: ELLIPCTIC_521 Client Certificate Certificate authority: ELLIPCTIC_521 Type: Client Certificate Key Type: Elliptic Curve Curve: secp521r1 Digest Algorithm: SHA256 Lifetime (days): 397 Private key location: Save on this Firewall Common Name: MyCommonName

Services -> FreeRADIUS -> EAP Default EAP Type: TLS Elliptic Curve: prime256v1 or secp384r1 Use own certificates: Enabled Root Certificate: ELLIPCTIC_521 Server Certificate: ELLIPCTIC_521 Server Certificate Check TLS Common-Name: Enabled TLS Minimum Version: 1.2

Save

Download to linux for Network Manager and configure. CA -> ELLIPCTIC.crt ELLIPCTIC Client Certificate -> ELLIPCTIC+Client+Certificate.p12

root@OPNsense:~ # service radiusd stop root@OPNsense:~ # radiusd -X

See included log, but the important part:

(5) eap_tls: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (5) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (5) eap_tls: (TLS) recv TLS 1.2 Handshake, CertificateVerify (5) eap_tls: (TLS) send TLS 1.2 Alert, fatal illegal_parameter (5) eap_tls: ERROR: (TLS) Alert write:fatal:illegal parameter (5) eap_tls: ERROR: (TLS) Server : Error in error (5) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1414D17A:SSL routines:tls12_check_peer_sigalg:wrong curve (5) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (5) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation (5) eap_tls: ERROR: [eaptls process] = fail

Edit /usr/local/etc/raddb/mods-enabled/eap and replace 'cdh_curve = "prime256v1"' with 'ecdh_curve = "secp521r1"'. Restart RADIUS and notice we can actually connect.

Expected behavior The EAP validation should be succesful.

Screenshots Not applicable

Relevant log files Included "attachment_radiusd.log"

Additional context "secp521r1" is needed in the screen. The information could be inproved. Is it possible to use the exact same list as in the certifaction screen to avoid issues like these in the future?

Environment Not applicable

Version 22.1.4_1 Architecture amd64 Flavour OpenSSL Commit 1aa77c16b FreeRADIUS Version 3.0.25 attachment_radiusd.log

EdwinKM avatar Apr 03 '22 19:04 EdwinKM