Although this represents a lot of pain for users upgrading, it allows (with the new section references) a single TLS configuration section to be used for all modules in the server.
adduser --quiet freerad ssl-cert
fi
fi
- if egrep -q '^[ ]*CA_file = \${cadir}/ca.pem' /etc/freeradius/modules/eap && \
+ if egrep -q '^[ ]*ca_file = \${cadir}/ca.pem' /etc/freeradius/modules/eap && \
test ! -f /etc/freeradius/certs/ca.pem
then
ln -s /etc/ssl/certs/ca.pem /etc/freeradius/certs/ca.pem
In general, you should use self-signed certificates for 802.1x (EAP)
authentication. When you list root CAs from other organizations in
-the "CA_file", you permit them to masquerade as you, to authenticate
+the "ca_file", you permit them to masquerade as you, to authenticate
your users, and to issue client certificates for EAP-TLS.
If FreeRADIUS was configured to use OpenSSL, then simply starting
# certificate_file must contain the same file
# name.
#
- # If CA_file (below) is not used, then the
+ # If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
- CA_file = ${cadir}/ca.pem
+ ca_file = ${cadir}/ca.pem
#
# If OpenSSL supports TLS-PSK, then we can use
# private_key_password
# private_key_file
# certificate_file
- # CA_file
- # CA_path
+ # ca_file
+ # ca_path
#
# For now, the identity is fixed, and must be the
# same on the client. The passphrase must be a hex
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
- CA_path = ${cadir}
+ ca_path = ${cadir}
#
# If check_cert_issuer is set, the value will
# We recommend using the OpenSSL command-line
# tool.
#
- # The ${..CA_path} text is a reference to
- # the CA_path variable defined above.
+ # The ${..ca_path} text is a reference to
+ # the ca_path variable defined above.
#
# The %{TLS-Client-Cert-Filename} is the name
# of the temporary file containing the cert
# in PEM format. This file is automatically
# deleted by the server when the command
# returns.
- # client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
+ # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}
#
# certificate_file must contain the same file
# name.
#
- # If CA_file (below) is not used, then the
+ # If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# You may want different CAs for inner and outer
# certificates. If so, edit this file.
- CA_file = ${cadir}/ca.pem
+ ca_file = ${cadir}/ca.pem
cipher_list = "DEFAULT"
# CRL and OCSP things go here. See the main "eap"
# file for details.
# check_crl = yes
- # CA_path = /path/to/directory/with/ca_certs/and/crls/
+ # ca_path = /path/to/directory/with/ca_certs/and/crls/
#
# The session resumption / fast reauthentication
# using ldaps (port 636) connections
# start_tls = yes
-# cacertfile = ${certdir}/cacert.pem
+# ca_file = ${certdir}/cacert.pem
-# cacertdir = ${certdir}
-# certfile = /path/to/radius.crt
-# keyfile = /path/to/radius.key
-# randfile = ${certdir}/random
+# ca_path = ${certdir}
+# certificate_file = /path/to/radius.crt
+# private_key_file = /path/to/radius.key
+# random_file = ${certdir}/random
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# server.
#
tls {
-# cacertfile = ${certdir}/cacert.pem
-# cacertdir = ${certdir}
+# ca_file = ${certdir}/cacert.pem
+# ca_path = ${certdir}
-# certfile = /path/to/radius.crt
-# keyfile = /path/to/radius.key
-# keypassword = "supersecret"
-# randfile = ${certdir}/random
+# certificate_file = /path/to/radius.crt
+# private_key_file = /path/to/radius.key
+# private_key_password = "supersecret"
+# random_file = ${certdir}/random
# Server certificate verification requirements. Can be:
# "no" (don't even bother trying)
# trusted CAs)
#
# The default is "yes"
-# verify_cert = "yes"
+# check_cert = "yes"
# Server certificate CN verification requirements. Can be:
# "no" (don't even bother trying)
# in the URI)
#
# The default is "yes"
-# verify_cert_cn = "yes"
+# check_cert_cn = "yes"
}
# rlm_rest will open a connection to the server specified in connect_uri
# certificate_file must contain the same file
# name.
#
- # If CA_file (below) is not used, then the
+ # If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
- CA_file = ${cadir}/ca.pem
+ ca_file = ${cadir}/ca.pem
#
# For DH cipher suites to work, you have to
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
- CA_path = ${cadir}
+ ca_path = ${cadir}
#
# If check_cert_issuer is set, the value will
# We recommend using the OpenSSL command-line
# tool.
#
- # The ${..CA_path} text is a reference to
- # the CA_path variable defined above.
+ # The ${..ca_path} text is a reference to
+ # the ca_path variable defined above.
#
# The %{TLS-Client-Cert-Filename} is the name
# of the temporary file containing the cert
# in PEM format. This file is automatically
# deleted by the server when the command
# returns.
- # client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
+ # client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
}
}
}
# certificate_file must contain the same file
# name.
#
- # If CA_file (below) is not used, then the
+ # If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
- CA_file = ${cadir}/ca.pem
+ ca_file = ${cadir}/ca.pem
#
# For DH cipher suites to work, you have to
# 3) uncomment the line below.
# 5) Restart radiusd
# check_crl = yes
- CA_path = ${cadir}
+ ca_path = ${cadir}
#
# If check_cert_issuer is set, the value will
offsetof(fr_tls_server_conf_t, dh_key_length), NULL, "512" },
{ "verify_depth", PW_TYPE_INTEGER,
offsetof(fr_tls_server_conf_t, verify_depth), NULL, "0" },
- { "CA_path", PW_TYPE_FILE_INPUT,
+ { "CA_path", PW_TYPE_FILE_INPUT | PW_TYPE_DEPRECATED,
+ offsetof(fr_tls_server_conf_t, ca_path), NULL, NULL },
+ { "ca_path", PW_TYPE_FILE_INPUT,
offsetof(fr_tls_server_conf_t, ca_path), NULL, NULL },
{ "pem_file_type", PW_TYPE_BOOLEAN,
offsetof(fr_tls_server_conf_t, file_type), NULL, "yes" },
offsetof(fr_tls_server_conf_t, private_key_file), NULL, NULL },
{ "certificate_file", PW_TYPE_FILE_INPUT,
offsetof(fr_tls_server_conf_t, certificate_file), NULL, NULL },
- { "CA_file", PW_TYPE_FILE_INPUT,
+ { "CA_file", PW_TYPE_FILE_INPUT | PW_TYPE_DEPRECATED,
+ offsetof(fr_tls_server_conf_t, ca_file), NULL, NULL },
+ { "ca_file", PW_TYPE_FILE_INPUT,
offsetof(fr_tls_server_conf_t, ca_file), NULL, NULL },
{ "private_key_password", PW_TYPE_STRING_PTR,
offsetof(fr_tls_server_conf_t, private_key_password), NULL, NULL },
offsetof(fr_tls_server_conf_t, dh_key_length), NULL, "512" },
{ "verify_depth", PW_TYPE_INTEGER,
offsetof(fr_tls_server_conf_t, verify_depth), NULL, "0" },
- { "CA_path", PW_TYPE_FILE_INPUT,
+ { "ca_path", PW_TYPE_FILE_INPUT,
offsetof(fr_tls_server_conf_t, ca_path), NULL, NULL },
{ "pem_file_type", PW_TYPE_BOOLEAN,
offsetof(fr_tls_server_conf_t, file_type), NULL, "yes" },
offsetof(fr_tls_server_conf_t, private_key_file), NULL, NULL },
{ "certificate_file", PW_TYPE_FILE_INPUT,
offsetof(fr_tls_server_conf_t, certificate_file), NULL, NULL },
- { "CA_file", PW_TYPE_FILE_INPUT,
+ { "ca_file", PW_TYPE_FILE_INPUT,
offsetof(fr_tls_server_conf_t, ca_file), NULL, NULL },
{ "private_key_password", PW_TYPE_STRING_PTR,
offsetof(fr_tls_server_conf_t, private_key_password), NULL, NULL },
char *server_idtype=NULL;
CONF_PARSER module_config[] = {
- { "CA_file", PW_TYPE_STRING_PTR,
+ { "ca_file", PW_TYPE_STRING_PTR,
offsetof(ikev2_ctx,trusted),NULL,NULL },
{ "private_key_file",PW_TYPE_STRING_PTR,
offsetof(ikev2_ctx,pkfile),NULL,NULL },
{ "private_key_password",PW_TYPE_STRING_PTR,
offsetof(ikev2_ctx,pkfile_pwd),NULL,NULL },
{ "certificate_file", PW_TYPE_STRING_PTR,
- offsetof(ikev2_ctx,certfile),NULL,NULL },
+ offsetof(ikev2_ctx,certificate_file),NULL,NULL },
{ "crl_file", PW_TYPE_STRING_PTR,
offsetof(ikev2_ctx,crl_file),NULL,NULL },
{ "id", PW_TYPE_STRING_PTR,
case IKEv2_AUTH_SK:
break;
case IKEv2_AUTH_CERT:
- if(!i2->certfile || !i2->pkfile) {
+ if(!i2->certificate_file || !i2->pkfile) {
ERROR(IKEv2_LOG_PREFIX "'certificate_file' and 'private_key_file' items are required for 'cert' auth type");
return -1;
}
- if(!file_exists(i2->certfile)) {
- ERROR(IKEv2_LOG_PREFIX "Can not open 'certificate_file' %s",i2->certfile);
+ if(!file_exists(i2->certificate_file)) {
+ ERROR(IKEv2_LOG_PREFIX "Can not open 'certificate_file' %s",i2->certificate_file);
return -1;
}
if(!file_exists(i2->pkfile)) {
break;
}
if(!i2->trusted) {
- AUTH(IKEv2_LOG_PREFIX "'CA_file' item not set, client cert based authentication will fail");
+ AUTH(IKEv2_LOG_PREFIX "'ca_file' item not set, client cert based authentication will fail");
} else {
if(!file_exists(i2->trusted)) {
- ERROR(IKEv2_LOG_PREFIX "Can not open 'CA_file' %s",i2->trusted);
+ ERROR(IKEv2_LOG_PREFIX "Can not open 'ca_file' %s",i2->trusted);
return -1;
}
}
# define maybe_ldap_option(_option, _name, _value) \
if (_value) do_ldap_option(_option, _name, _value)
- maybe_ldap_option(LDAP_OPT_X_TLS_CACERTFILE, "cacertfile", inst->tls_cacertfile);
- maybe_ldap_option(LDAP_OPT_X_TLS_CACERTDIR, "cacertdir", inst->tls_cacertdir);
+ maybe_ldap_option(LDAP_OPT_X_TLS_CACERTFILE, "ca_file", inst->tls_ca_file);
+ maybe_ldap_option(LDAP_OPT_X_TLS_CACERTDIR, "ca_path", inst->tls_ca_path);
/*
* Set certificate options
*/
- maybe_ldap_option(LDAP_OPT_X_TLS_CERTFILE, "certfile", inst->tls_certfile);
- maybe_ldap_option(LDAP_OPT_X_TLS_KEYFILE, "keyfile", inst->tls_keyfile);
- maybe_ldap_option(LDAP_OPT_X_TLS_RANDOM_FILE, "randfile", inst->tls_randfile);
+ maybe_ldap_option(LDAP_OPT_X_TLS_CERTFILE, "certificate_file", inst->tls_certificate_file);
+ maybe_ldap_option(LDAP_OPT_X_TLS_KEYFILE, "private_key_file", inst->tls_private_key_file);
+ maybe_ldap_option(LDAP_OPT_X_TLS_RANDOM_FILE, "random_file", inst->tls_random_file);
# ifdef LDAP_OPT_X_TLS_NEVER
if (inst->tls_require_cert_str) {
- do_ldap_option(LDAP_OPT_X_TLS_REQUIRE_CERT, "tls_require_cert", &inst->tls_require_cert);
+ do_ldap_option(LDAP_OPT_X_TLS_REQUIRE_CERT, "require_cert", &inst->tls_require_cert);
}
# endif
//!< to start encrypted communications using the standard
//!< LDAP port.
- char const *tls_cacertfile; //!< Sets the full path to a CA certificate (used to validate
+ char const *tls_ca_file; //!< Sets the full path to a CA certificate (used to validate
//!< the certificate the server presents).
- char const *tls_cacertdir; //!< Sets the path to a directory containing CA certificates.
+ char const *tls_ca_path; //!< Sets the path to a directory containing CA certificates.
- char const *tls_certfile; //!< Sets the path to the public certificate file we present
+ char const *tls_certificate_file; //!< Sets the path to the public certificate file we present
//!< to the servers.
- char const *tls_keyfile; //!< Sets the path to the private key for our public
+ char const *tls_private_key_file; //!< Sets the path to the private key for our public
//!< certificate.
- char const *tls_randfile; //!< Path to the random file if /dev/random and /dev/urandom
+ char const *tls_random_file; //!< Path to the random file if /dev/random and /dev/urandom
//!< are unavailable.
char const *tls_require_cert_str; //!< Sets requirements for validating the certificate the
* TLS Configuration
*/
static CONF_PARSER tls_config[] = {
+ /*
+ * Deprecated attributes
+ */
+ {"cacertfile", PW_TYPE_FILE_INPUT | PW_TYPE_DEPRECATED, offsetof(ldap_instance_t, tls_ca_file), NULL, NULL},
+ {"cacertdir", PW_TYPE_FILE_INPUT | PW_TYPE_DEPRECATED, offsetof(ldap_instance_t, tls_ca_path), NULL, NULL},
+ {"certfile", PW_TYPE_FILE_INPUT | PW_TYPE_DEPRECATED, offsetof(ldap_instance_t, tls_certificate_file), NULL, NULL},
+ {"keyfile", PW_TYPE_FILE_INPUT | PW_TYPE_DEPRECATED, offsetof(ldap_instance_t, tls_private_key_file), NULL, NULL}, // OK if it changes on HUP
+ {"randfile", PW_TYPE_FILE_INPUT | PW_TYPE_DEPRECATED, offsetof(ldap_instance_t, tls_random_file), NULL, NULL},
+
+ /*
+ * Generic TLS attributes
+ */
+ {"ca_file", PW_TYPE_FILE_INPUT, offsetof(ldap_instance_t, tls_ca_file), NULL, NULL},
+ {"ca_path", PW_TYPE_FILE_INPUT, offsetof(ldap_instance_t, tls_ca_path), NULL, NULL},
+ {"certificate_file", PW_TYPE_FILE_INPUT, offsetof(ldap_instance_t, tls_certificate_file), NULL, NULL},
+ {"private_key_file", PW_TYPE_FILE_INPUT, offsetof(ldap_instance_t, tls_private_key_file), NULL, NULL}, // OK if it changes on HUP
+ {"random_file", PW_TYPE_FILE_INPUT, offsetof(ldap_instance_t, tls_random_file), NULL, NULL},
+
+ /*
+ * LDAP Specific TLS attributes
+ */
{"start_tls", PW_TYPE_BOOLEAN, offsetof(ldap_instance_t, start_tls), NULL, "no"},
- {"cacertfile", PW_TYPE_FILE_INPUT, offsetof(ldap_instance_t, tls_cacertfile), NULL, NULL},
- {"cacertdir", PW_TYPE_FILE_INPUT, offsetof(ldap_instance_t, tls_cacertdir), NULL, NULL},
- {"certfile", PW_TYPE_FILE_INPUT, offsetof(ldap_instance_t, tls_certfile), NULL, NULL},
- {"keyfile", PW_TYPE_FILE_INPUT, offsetof(ldap_instance_t, tls_keyfile), NULL, NULL}, // OK if it changes on HUP
- {"randfile", PW_TYPE_FILE_INPUT, offsetof(ldap_instance_t, tls_randfile), NULL, NULL},
{"require_cert", PW_TYPE_STRING_PTR, offsetof(ldap_instance_t, tls_require_cert_str), NULL, NULL},
-
+
{ NULL, -1, 0, NULL, NULL }
};
/*
* Set SSL/TLS authentication parameters
*/
- if (section->tls_certfile) {
+ if (section->tls_certificate_file) {
ret = curl_easy_setopt(candle,
CURLOPT_SSLCERT,
- section->tls_certfile);
+ section->tls_certificate_file);
if (ret != CURLE_OK) goto error;
}
- if (section->tls_keyfile) {
+ if (section->tls_private_key_file) {
ret = curl_easy_setopt(candle,
CURLOPT_SSLKEY,
- section->tls_keyfile);
+ section->tls_private_key_file);
if (ret != CURLE_OK) goto error;
}
- if (section->tls_keypassword) {
+ if (section->tls_private_key_password) {
ret = curl_easy_setopt(candle,
CURLOPT_KEYPASSWD,
- section->tls_keypassword);
+ section->tls_private_key_password);
if (ret != CURLE_OK) goto error;
}
- if (section->tls_cacertfile) {
+ if (section->tls_ca_file) {
ret = curl_easy_setopt(candle,
CURLOPT_ISSUERCERT,
- section->tls_cacertfile);
+ section->tls_ca_file);
if (ret != CURLE_OK) goto error;
}
- if (section->tls_cacertdir) {
+ if (section->tls_ca_path) {
ret = curl_easy_setopt(candle,
CURLOPT_CAPATH,
- section->tls_cacertdir);
+ section->tls_ca_path);
if (ret != CURLE_OK) goto error;
}
- if (section->tls_randfile) {
+ if (section->tls_random_file) {
ret = curl_easy_setopt(candle,
CURLOPT_RANDOM_FILE,
- section->tls_randfile);
+ section->tls_random_file);
if (ret != CURLE_OK) goto error;
}
- if (section->tls_verify_cert) {
+ if (section->tls_check_cert) {
ret = curl_easy_setopt(candle,
CURLOPT_SSL_VERIFYHOST,
- (section->tls_verify_cert_cn == true) ?
+ (section->tls_check_cert_cn == true) ?
2 : 0);
if (ret != CURLE_OK) goto error;
} else {
http_auth_type_t auth;
int require_auth;
- char *tls_certfile;
- char *tls_keyfile;
- char *tls_keypassword;
- char *tls_cacertfile;
- char *tls_cacertdir;
- char *tls_randfile;
- int tls_verify_cert;
- int tls_verify_cert_cn;
+ char *tls_certificate_file;
+ char *tls_private_key_file;
+ char *tls_private_key_password;
+ char *tls_ca_file;
+ char *tls_ca_path;
+ char *tls_random_file;
+ int tls_check_cert;
+ int tls_check_cert_cn;
int timeout;
unsigned int chunk;
* TLS Configuration
*/
static CONF_PARSER tls_config[] = {
- { "cacertfile", PW_TYPE_FILE_INPUT,
- offsetof(rlm_rest_section_t,tls_cacertfile), NULL, NULL},
- { "cacertdir", PW_TYPE_FILE_INPUT,
- offsetof(rlm_rest_section_t,tls_cacertdir), NULL, NULL},
- { "certfile", PW_TYPE_FILE_INPUT,
- offsetof(rlm_rest_section_t,tls_certfile), NULL, NULL},
- { "keyfile", PW_TYPE_FILE_INPUT,
- offsetof(rlm_rest_section_t,tls_keyfile), NULL, NULL },
- { "keypassword", PW_TYPE_STRING_PTR,
- offsetof(rlm_rest_section_t, tls_keypassword), NULL, NULL },
- { "randfile", PW_TYPE_STRING_PTR, /* OK if it changes on HUP */
- offsetof(rlm_rest_section_t,tls_randfile), NULL, NULL },
- { "verify_cert", PW_TYPE_BOOLEAN,
- offsetof(rlm_rest_section_t, tls_verify_cert), NULL, "yes" },
- { "verify_cert_cn", PW_TYPE_BOOLEAN,
- offsetof(rlm_rest_section_t, tls_verify_cert_cn), NULL, "yes" },
+ { "ca_file", PW_TYPE_FILE_INPUT,
+ offsetof(rlm_rest_section_t,tls_ca_file), NULL, NULL},
+ { "ca_path", PW_TYPE_FILE_INPUT,
+ offsetof(rlm_rest_section_t,tls_ca_path), NULL, NULL},
+ { "certificate_file", PW_TYPE_FILE_INPUT,
+ offsetof(rlm_rest_section_t,tls_certificate_file), NULL, NULL},
+ { "private_key_file", PW_TYPE_FILE_INPUT,
+ offsetof(rlm_rest_section_t,tls_private_key_file), NULL, NULL },
+ { "private_key_password", PW_TYPE_STRING_PTR,
+ offsetof(rlm_rest_section_t, tls_private_key_password), NULL, NULL },
+ { "random_file", PW_TYPE_STRING_PTR, /* OK if it changes on HUP */
+ offsetof(rlm_rest_section_t,tls_random_file), NULL, NULL },
+ { "check_cert", PW_TYPE_BOOLEAN,
+ offsetof(rlm_rest_section_t, tls_check_cert), NULL, "yes" },
+ { "check_cert_cn", PW_TYPE_BOOLEAN,
+ offsetof(rlm_rest_section_t, tls_check_cert_cn), NULL, "yes" },
{ NULL, -1, 0, NULL, NULL }
};
# certificate_file = /path/filename
# Trusted Root CA list
- #CA_file = /path/filename
+ #ca_file = /path/filename
# dh_file = /path/filename
#random_file = /path/filename