diff options
author | Alexander Wilke <nachtfalkeaw@web.de> | 2011-12-23 16:27:28 +0000 |
---|---|---|
committer | Alexander Wilke <nachtfalkeaw@web.de> | 2011-12-23 16:27:28 +0000 |
commit | e5d1c85b5f4e79ac50fbda51850dbfcf073996a3 (patch) | |
tree | bf59412ee28d15fb4313b393d03261659912b216 | |
parent | 32fd2a716b6619debba6b6a5e5775f71b7432449 (diff) | |
download | pfsense-packages-e5d1c85b5f4e79ac50fbda51850dbfcf073996a3.tar.gz pfsense-packages-e5d1c85b5f4e79ac50fbda51850dbfcf073996a3.tar.bz2 pfsense-packages-e5d1c85b5f4e79ac50fbda51850dbfcf073996a3.zip |
Integrated pfsense Cert Manager in freeradius package (Thanks to jimp and sullrich). Now it is possible to create certificates in pfsense Cert manager and use them for freeradius.
The freeradius cert builder script is still present because freeradius needs some default ca and cert to start the service.
-rwxr-xr-x | config/freeradius2/freeradius.inc | 97 | ||||
-rw-r--r-- | config/freeradius2/freeradiuscerts.xml | 8 | ||||
-rw-r--r-- | config/freeradius2/freeradiuseapconf.xml | 73 | ||||
-rw-r--r-- | pkg_config.8.xml | 2 | ||||
-rw-r--r-- | pkg_config.8.xml.amd64 | 2 |
5 files changed, 126 insertions, 56 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 5395fdd2..9409553b 100755 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -393,6 +393,9 @@ function freeradius_eapconf_resync() { $eapconf = $config['installedpackages']['freeradiuseapconf']['config'][0]; + // Choose pfsense Cert-Manager or freeradius Cert-Manager + $vareapconfchoosecertmanager = ($eapconf['vareapconfchoosecertmanager']?$eapconf['vareapconfchoosecertmanager']:'radiuscertmgr'); + // Variables: EAP $vareapconfdefaulteaptype = ($eapconf['vareapconfdefaulteaptype']?$eapconf['vareapconfdefaulteaptype']:'md5'); $vareapconftimerexpire = ($eapconf['vareapconftimerexpire']?$eapconf['vareapconftimerexpire']:'60'); @@ -401,12 +404,7 @@ function freeradius_eapconf_resync() { $vareapconfmaxsessions = ($eapconf['vareapconfmaxsessions']?$eapconf['vareapconfmaxsessions']:'4096'); // Variables: EAP-TLS and EAP-TLS with OCSP support - $vareapconfprivatekeypassword = ($eapconf['vareapconfprivatekeypassword']?$eapconf['vareapconfprivatekeypassword']:'whatever'); - $vareapconfprivatekeyfile = ($eapconf['vareapconfprivatekeyfile']?$eapconf['vareapconfprivatekeyfile']:'server.pem'); - $vareapconfcertificatefile = ($eapconf['vareapconfcertificatefile']?$eapconf['vareapconfcertificatefile']:'server.pem'); - $vareapconfcafile = ($eapconf['vareapconfcafile']?$eapconf['vareapconfcafile']:'ca.pem'); - $vareapconfdhfile = ($eapconf['vareapconfdhfile']?$eapconf['vareapconfdhfile']:'dh'); - $vareapconfrandomfile = ($eapconf['vareapconfrandomfile']?$eapconf['vareapconfrandomfile']:'random'); + $vareapconfprivatekeypassword = ($eapconf['vareapconfprivatekeypassword']?$eapconf['vareapconfprivatekeypassword']:''); $vareapconfocspenable = ($eapconf['vareapconfocspenable']?$eapconf['vareapconfocspenable']:'no'); $vareapconfocspoverridecerturl = ($eapconf['vareapconfocspoverridecerturl']?$eapconf['vareapconfocspoverridecerturl']:'no'); $vareapconfocspurl = ($eapconf['vareapconfocspurl']?$eapconf['vareapconfocspurl']:'http://127.0.0.1/ocsp/'); @@ -420,8 +418,62 @@ function freeradius_eapconf_resync() { $vareapconfpeapdefaulteaptype = ($eapconf['vareapconfpeapdefaulteaptype']?$eapconf['vareapconfpeapdefaulteaptype']:'mschapv2'); $vareapconfpeapcopyrequesttotunnel = ($eapconf['vareapconfpeapcopyrequesttotunnel']?$eapconf['vareapconfpeapcopyrequesttotunnel']:'no'); $vareapconfpeapusetunneledreply = ($eapconf['vareapconfpeapusetunneledreply']?$eapconf['vareapconfpeapusetunneledreply']:'no'); - - + + +// The filenames of pfsense cert manager are different from freeradius cert manager so it is possible to store both in the same folder at any time. +// This is for the pfsense cert manager +if ($vareapconfchoosecertmanager == 'pfsensecertmgr') { + + $ca_cert = lookup_ca($eapconf["ssl_ca_cert"]); + if ($ca_cert != false) { + if(base64_decode($ca_cert['prv'])) { + file_put_contents(RADDB . "/certs/ca_key.pem", + base64_decode($ca_cert['prv'])); + $conf['ssl_ca_key'] = RADDB . '/certs/ca_key.pem'; + } + + + if(base64_decode($ca_cert['crt'])) { + file_put_contents(RADDB . "/certs/ca_cert.pem", + base64_decode($ca_cert['crt'])); + $conf['ssl_ca_cert'] = RADDB . "/certs/ca_cert.pem"; + } + + + $svr_cert = lookup_cert($eapconf["ssl_server_cert"]); + if ($svr_cert != false) { + if(base64_decode($svr_cert['prv'])) { + file_put_contents(RADDB . "/certs/server_key.pem", + base64_decode($svr_cert['prv'])); + $conf['ssl_key'] = RADDB . '/certs/server_key.pem'; + } + } + + + if(base64_decode($svr_cert['crt'])) { + file_put_contents(RADDB . "/certs/server_cert.pem", + base64_decode($svr_cert['crt'])); + $conf['ssl_server_cert'] = RADDB . "/certs/server_cert.pem"; + } + + + $conf['ssl_cert_dir'] = RADDB . '/certs'; + } + + $vareapconfprivatekeyfile = 'server_key.pem'; + $vareapconfcertificatefile = 'server_cert.pem'; + $vareapconfcafile = 'ca_cert.pem'; +} + +// This is for freeradius cert manager +if ($vareapconfchoosecertmanager == 'radiuscertmgr') { + + $vareapconfprivatekeyfile = 'server.pem'; + $vareapconfcertificatefile = 'server.pem'; + $vareapconfcafile = 'ca.pem'; + +} + $conf .= <<<EOD ### EAP @@ -450,8 +502,8 @@ function freeradius_eapconf_resync() { private_key_file = \${certdir}/$vareapconfprivatekeyfile certificate_file = \${certdir}/$vareapconfcertificatefile CA_file = \${cadir}/$vareapconfcafile - dh_file = \${certdir}/$vareapconfdhfile - random_file = \${certdir}/$vareapconfrandomfile + dh_file = \${certdir}/dh + random_file = \${certdir}/random # fragment_size = 1024 # include_length = yes # check_crl = yes @@ -516,6 +568,31 @@ EOD; restart_service('freeradius'); } + +function freeradius_get_ca_certs() { + global $config; + $ca_arr = array(); + $ca_arr[] = array('refid' => 'none', 'descr' => 'none'); + + foreach ($config['ca'] as $ca) { + $ca_arr[] = array('refid' => $ca['refid'], 'descr' => $ca['descr']); + } + return $ca_arr; +} + +function freeradius_get_server_certs() { + global $config; + $cert_arr = array(); + $cert_arr[] = array('refid' => 'none', 'descr' => 'none'); + + foreach ($config['cert'] as $cert) { + $cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']); + } + return $cert_arr; +} + + + function freeradius_sqlconf_resync() { global $config; $conf = ''; diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml index a0b4ac0f..9cdf656a 100644 --- a/config/freeradius2/freeradiuscerts.xml +++ b/config/freeradius2/freeradiuscerts.xml @@ -98,7 +98,7 @@ <b>Important:</b><br> If you like to use certs created on another PC just disable this and click save.]]></description> <type>select</type> - <default_value>yes</default_value> + <default_value>no</default_value> <options> <option><name>Yes</name><value>yes</value></option> <option><name>No</name><value>no</value></option> @@ -113,7 +113,7 @@ This page uses the freeradius2 built-in script called "bootstrap" to create CA and certs. The disatvantage of this script is that nothing of your changes will be saved in the global config.xml file. So after a systemcrash or reinstallation of freeradius2 package all your CA and certs will be lost. If you have a backup of all these files on an USB stick or another server than you can copy them back in the freeradius certs folder.<br><br> - <b>The better way is to use the pfsense built-in Cert Manager (SYSTEM-> Cert Manager).</b> The CA-Cert and Server-Cert you created there you just have to copy to the freeradius certs folder and pointing to these certs in eap. + <b>The better way is to use the pfsense built-in Cert Manager (SYSTEM-> Cert Manager).</b> The CA-Cert and Server-Cert you created there you just have to choose in EAP. The advantage of this is that all your CA and certs will be saved in global config.xml and can be restored.]]></description> <type>input</type> <required/> @@ -247,7 +247,7 @@ <b>Limitations:</b><br> - There is no CRL at the moment. Deleting of existing certs from the database (../certs/index.txt) isn't possible from GUI.<br> + There is no CRL. Deleting of existing certs from the database (../certs/index.txt) isn't possible from GUI.<br> If you choose a Common Name which already exists in the database (check view config) the .crt will be zero bytes.<br> Choose other Common Name and create a new Client-Cert. ]]></description> @@ -275,8 +275,10 @@ </fields> <custom_delete_php_command> freeradius_allcertcnf_resync(); + freeradius_eapconf_resync(); </custom_delete_php_command> <custom_php_resync_config_command> freeradius_allcertcnf_resync(); + freeradius_eapconf_resync(); </custom_php_resync_config_command> </packagegui>
\ No newline at end of file diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml index 40b161f8..495a61ee 100644 --- a/config/freeradius2/freeradiuseapconf.xml +++ b/config/freeradius2/freeradiuseapconf.xml @@ -143,53 +143,44 @@ <type>listtopic</type> </field> <field> - <fielddescr>Private Key Password</fielddescr> - <fieldname>vareapconfprivatekeypassword</fieldname> - <description><![CDATA[Enter the password of the private key. This is the password which you have to choose in "Certificates" tab.<br> - This field could be empty. (Default: whatever)]]></description> - <type>password</type> - <default_value>whatever</default_value> - </field> - <field> - <fielddescr>Server Private Key File</fielddescr> - <fieldname>vareapconfprivatekeyfile</fieldname> - <description><![CDATA[Enter the filename of the private key file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)<br> - <b>TIP:</b> You could use "SYSTEM-> Cert Manager" instead of the freeradius Cert script.<br> - You just have to export it there and copy it in the freeradius certs folder.]]></description> - <type>input</type> - <default_value>server.pem</default_value> - </field> - <field> - <fielddescr>Server Certificate File</fielddescr> - <fieldname>vareapconfcertificatefile</fieldname> - <description><![CDATA[Enter the filename of the server certificate file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)<br> - <b>TIP:</b> You could use "SYSTEM-> Cert Manager" instead of the freeradius Cert script.<br> - You just have to export it there and copy it in the freeradius certs folder.]]></description> - <type>input</type> - <default_value>server.pem</default_value> + <fielddescr>Choose your Cert Manager</fielddescr> + <fieldname>vareapconfchoosecertmanager</fieldname> + <description><![CDATA[Choose your Cert manager. By default it is the freeradius cert manager because the server needs some default certs to start service. For more information take al look at "Certificates"-Tab.<br> + To use the pfsense Cert Manager you have to create a CA and an Server Certificate first. (SYSTEM -> Cert Manager). (Default: freeRADIUS)]]></description> + <type>select</type> + <default_value>radiuscertmgr</default_value> + <options> + <option><name>freeRADIUS Cert Manager (not recommended)</name><value>radiuscertmgr</value></option> + <option><name>pfSense Cert Manager (recommended)</name><value>pfsensecertmgr</value></option> + </options> </field> <field> - <fielddescr>CA File</fielddescr> - <fieldname>vareapconfcafile</fieldname> - <description><![CDATA[Enter the filename of the CA file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: server.pem)<br> - <b>TIP:</b> You could use "SYSTEM-> Cert Manager" instead of the freeradius Cert script.<br> - You just have to export it there and copy it in the freeradius certs folder.]]></description> - <type>input</type> - <default_value>ca.pem</default_value> + <fielddescr>SSL CA Certificate</fielddescr> + <fieldname>ssl_ca_cert</fieldname> + <description><![CDATA[Choose the SSL CA Certficate here which you created with the pfSense Cert Manager.<br> + Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]></description> + <type>select_source</type> + <source><![CDATA[freeradius_get_ca_certs()]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> </field> <field> - <fielddescr>DH File</fielddescr> - <fieldname>vareapconfdhfile</fieldname> - <description><![CDATA[Enter the filename of the DH file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: dh)]]></description> - <type>input</type> - <default_value>dh</default_value> + <fielddescr>SSL Server Certificate</fielddescr> + <fieldname>ssl_server_cert</fieldname> + <description><![CDATA[Choose the SSL Server Certficate here which you created with the pfSense Cert Manager.<br> + Choose "none" if you do not use any kind of certificates or the freeradius Cert Manager. (Default: none)]]></description> + <type>select_source</type> + <source><![CDATA[freeradius_get_server_certs()]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> </field> <field> - <fielddescr>Random File</fielddescr> - <fieldname>vareapconfrandomfile</fieldname> - <description><![CDATA[Enter the filename of the random file. The file <b>must</b> be in /usr/local/etc/raddb/certs/ (Default: random)]]></description> - <type>input</type> - <default_value>random</default_value> + <fielddescr>Private Key Password</fielddescr> + <fieldname>vareapconfprivatekeypassword</fieldname> + <description><![CDATA[By default the certificates created by freeradius are protected with an "input/ouput" password from reaading the certificate.<b> + The certificates created by pfSense Cert Manager are not protected so you must leave this field empty. (Default: whatever)]]></description> + <type>password</type> + <default_value>whatever</default_value> </field> <field> <name>EAP-TLS with OCSP support</name> diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 520df97f..44d5f17c 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -764,7 +764,7 @@ Do not use together with freeradius package. Both are using the same XML files.]]></descr> <pkginfolink>http://forum.pfsense.org/index.php/topic,43675.0.html</pkginfolink> <category>System</category> - <version>2.1.12 pkg v1.3.5</version> + <version>2.1.12 pkg v1.3.666666</version> <status>BETA</status> <required_version>2.0</required_version> <maintainer>Nachtfalke</maintainer> diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index d49c9bb3..197c2a17 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -806,7 +806,7 @@ Do not use together with freeradius package. Both are using the same XML files.]]></descr> <pkginfolink>http://forum.pfsense.org/index.php/topic,43675.0.html</pkginfolink> <category>System</category> - <version>2.1.12 pkg v1.3.5</version> + <version>2.1.12 pkg v1.3.6</version> <status>BETA</status> <required_version>2.0</required_version> <maintainer>Nachtfalke</maintainer> |