The last couple of days I’ve struggling with FreeRADIUS. Apart from not having a good documentation, a configuration mess, and not compiling out-of-the-box on OpenBSD, its OpenSSL CA scripts are broken.
FreeRADIUS ships a script that should help you set up your own CA for a self-signed certificate for EAP-TTLS. This script (CA.all in the scripts directory of the distribution) uses OpenSSL’s CA.pl script to do the SSL magic for you. The only problem is that the path to CA.pl is hardcoded:
SSL=/usr/local/ssl
export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
...
echo “newreq.pem” | /usr/local/ssl/misc/CA.pl -newca
The hardcoded path will of course not work on OS X, FreeBSD or OpenBSD. As the good guys from FreeRADIUS do not use any type of error handling, this problem will manifest later with this error message:
Error opening CA private key ./demoCA/private/cakey.pem
1254:error:02001002:system library:fopen:No such file or directory:bss_file.c:278:fopen(’./demoCA/private/cakey.pem’,’r’)
1254:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:280:
unable to load CA private key
Took me a while to understand why the demoCA stuff was not created. The funny thing is that the path stuff would not work anyway as CA.pl is located in /usr/src/crypto/openssl/apps/ in FreeBSD and in /System/Library/OpenSSL/misc/ under OS X.
I hate developer that assume that UNIX = Linux.
