OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: Ralf_s on July 29, 2021, 04:48:45 pm

Title: After Upgrade to 21.7 - freeradius fail to start
Post by: Ralf_s on July 29, 2021, 04:48:45 pm
Hi,

the freeradius wouldn't start with the error message:

Error: /usr/local/etc/raddb/mods-enabled/pap[13]: Failed to link to module 'rlm_pap': Cannot open "/usr/local/lib/freeradius-3*/rlm_pap.so"

Could you please help

best regards,

Ralf
Title: Re: After Upgrade to 21.7 - freeradius fail to start
Post by: franco on July 30, 2021, 12:38:43 pm
I think the latest FreeRADIUS does not like LibreSSL anymore.. switching to OpenSSL should fix this.


Cheers,
Franco
Title: Re: After Upgrade to 21.7 - freeradius fail to start
Post by: Ralf_s on July 30, 2021, 01:08:05 pm
switching to OpenSSL - reboot - freeradius is working again. TOP!!!

many thanks,

Ralf
Title: Re: After Upgrade to 21.7 - freeradius fail to start
Post by: franco on July 30, 2021, 01:28:39 pm
Hi Ralf,

Glad to hear :)

I'll be watching for changes there. It's a bit unusual because previously it has always played nice with LibreSSL except for some compile errors.


Cheers,
Franco
Title: Re: After Upgrade to 21.7 - freeradius fail to start
Post by: Christian on August 23, 2021, 07:51:12 pm
Hi Franco,

just to confirm that this is not a one-off: I am seeing the same error as Ralf (I also saw it with 21.7 as documented here  https://forum.opnsense.org/index.php?PHPSESSID=mqo6ikmrudta2di05im45v616g&topic=23556.msg112148#msg112148 (https://forum.opnsense.org/index.php?PHPSESSID=mqo6ikmrudta2di05im45v616g&topic=23556.msg112148#msg112148)).

I can also confirm that switching from LibreSSL to OpenSSL is a working workaround ;). So it looks as if the LibreSSL-build of the freeradius3 package is broken.

Cheers
Christian
Title: Re: After Upgrade to 21.7 - freeradius fail to start
Post by: tom.goes.open on August 31, 2021, 09:23:07 am
Hi,

as there are lots of problems using LibreSSL in the past months (OpenVPN, CertManager/PHP, FreeRADIUS), do you recommend chaning to OpenSSL in general?

Thanks.
Title: Re: After Upgrade to 21.7 - freeradius fail to start
Post by: franco on August 31, 2021, 10:25:43 am
It's never been much different to be honest. We recommend upstream projects to support LibreSSL proper, but if they don't this is always going to happen.

In the grand scheme of things LibreSSL popularity slowly declined over the past couple of years and we don't have it in the business edition to avoid such unfortunate (but avoidable) issues by using OpenSSL.

The slow adaptation of CMS and TLS 1.3 probably play a role here coupled with the release cycle and ABI breakage that only fits the OpenBSD release cycle.

Don't get me wrong. I'm a huge fan of the LibreSSL effort and we have been helping with FreeBSD ports integration and patching since 2015. This is just my personal observation of the topic.


Cheers,
Franco
Title: Re: After Upgrade to 21.7 - freeradius fail to start
Post by: fabian on September 01, 2021, 09:48:24 pm
The nginx plugin also has some small issues when it runs on LibreSSL.

Handshakes: Curves are missing (defined variables are not filled with values)
General: TLS 1.3 support

So I guess that even if such major software struggles with LibreSSL, then the support in smaller projects is even worse.

http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables

For example, $ssl_Curves is as far as I know, only supported by OpenSSL, while  $ssl_ciphers is supported by both of them. Those variables are used to build the browser fingerprint together with the UA.