moonshot-gss-eap-1.0.1-1.el6 causes RADIUS TLS error and SSH segv
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Project Moonshot |
New
|
High
|
Dan Breslau |
Bug Description
When using moonshot-
When used with the newest moonshot-ui package (see Bug 1709316) in a mode that uses .gss_eap_id, RADIUS reports a TLS failure:
eap_ttls: ERROR: TLS Alert read:fatal:unknown CA
eap_ttls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A
eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read)
eap_ttls: ERROR: error:14094418:SSL routines:
eap_ttls: ERROR: error:140940E5:SSL routines:
eap_ttls: ERROR: System call (I/O) error (-1)
eap_ttls: ERROR: TLS receive handshake failed during operation
eap_ttls: ERROR: [eaptls process] = fail
eap: ERROR Failed continuing EAP TTLS (21) session. EAP sub-module failed
When I downgrade to 0.9.5-1, the problem goes away. If there is TLS functionality that attempts to get trust anchors (and fails), perhaps we should update the .gss_eap_id functionality to add a third line that allows a trust anchor?
Additionally, when I downgrade moonshot-ui to avoid Bug 1709316, the moonshot-gss-eap package appears to cause a segv in the ssh process during a call like this:
ssh -Kv <email address hidden>
:
:
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
Segmentation fault (core dumped)
This does not happen when I downgrade to 0.9.5-1.
A virtual machine (Virtual Box 5.1) can be provided that demonstrates this issue.
Stefan, thanks for the bug report. I'll get Dan to look at this after he finishes with But 1709316.
Before that, however, I'm a little confused by your statements here:
> Additionally, when I downgrade moonshot-ui to avoid Bug 1709316
[snip!]
> This does not happen when I downgrade to 0.9.5-1.
It seems like you're saying that the segmentation fault both does and doesn't happen at 0.9.5-1. Could you help me understand what the environment is when you see the bug?