search

ministryofjustice / network-access-control-server

FreeRadius server for the 802.1x Network Access Control Service
MIT License
0 stars 0 forks source link

🔐 Openssl upgrade v1.1.1 -> v3 #168

Closed Gary-H9 closed 1 year ago

Gary-H9 commented 1 year ago

As per this PR Alpine should be upgraded to v3.17.

Openssl v3 is now default in this version so that forces us to upgrade openssl at some point. Openssl v1 will officiallly become EOL on 11th September 2023. - EOL

Continuing to use openssl v1.1 is an option but not really one we should pursue.

tomwells98 commented 1 year ago

Revisit in one month

jennycasanova commented 1 year ago

Dependant on 3radious before we can look at this upgrade

tomwells98 commented 1 year ago

Need to upgrade Alpine to 3.18

tomwells98 commented 1 year ago

upgrading openssl v1 to v3 network-access-control-integration-tests/66 https://app.zenhub.com/workspaces/nvvs-devops-622a0b371800e400133bb924/issues/gh/ministryofjustice/network-access-control-integration-tests/66

Summary The repository responsible for the testing of the NACL server and admin server network-access-control-integration-tests

Has been updated on this branch

https://github.com/ministryofjustice/network-access-control-integration-tests/tree/feature/168-upgrade-openssl

Three docker files now specify versions of Alpine in which the default OpenSSL version is 3.0.10

See diff https://github.com/ministryofjustice/network-access-control-integration-tests/compare/main...feature/168-upgrade-openssl

This tests the changes in network-access-control-server in which the Alpine version and OpenSSL version has been updated See diff: https://github.com/ministryofjustice/network-access-control-server/compare/main...feature/168-upgrade-openssl-v1-to-v3

which resulted in some failures. Members of the team had different results initially.

I've run tests with various combinations and have discovered that the tests fail when the certgenerator container is updated.

If that container is running OpenSSL (and the older software) the tests are passing with new changes elesewhere. If it's updated from alpine:3.16.4 to alpine:3.17.5 which uses OpenSSL 3 then the tests fail with current main branch or the updated ones

Repo Branch Combination 1 Combination 1-b Combination 2 Combination 3 Combination 4 Combination 5 network-access-control-integration-tests main feature/168-upgrade-openssl feature/168-upgrade-openssl update tests docker main feature/168-upgrade-openssl main update tests docker main update nginx docker network-access-control-server main feature/168-upgrade-openssl-v1-to-v3 feature/168-upgrade-openssl-v1-to-v3 feature/168-upgrade-openssl-v1-to-v3 main main main network-access-control-admin main main main main main main main TEST RESULT Pass 19 examples, 1 failures 19 examples, 10 failures 19 examples, 0 failures 19 examples, 0 failures 19 examples, 10 failures 19 examples, 0 failures 19 examples, 0 failures 19 examples, 0 failures 19 examples, 0 failures
19 examples, 0 failures 19 examples, 0 failures
19 examples, 0 failures
Failures. Failed examples:

rspec /spec/eap_spec.rb:8 # Network Access Control Authentication Methods EAP Authenticates EAP-TLS

rspec /spec/eap_spec.rb:13 # Network Access Control Authentication Methods EAP Authenticates EAP-TTLS and EAP-TLS as the inner authentication_method

rspec /spec/eap_spec.rb:43 # Network Access Control Authentication Methods RADSEC Establishes a RADSEC tunnel and does the authentication

rspec /spec/eap_spec.rb:48 # Network Access Control Authentication Methods RADSEC Authenticates EAP-TLS

rspec /spec/eap_spec.rb:53 # Network Access Control Authentication Methods RADSEC Authenticates EAP-TTLS and EAP-TLS as the inner authentication_method

rspec /spec/policy_engine_spec.rb:16 # Network Access Control Policy Engine Gets a Fallback policy, when non fallback policy contains no rules to match the request

rspec /spec/policy_engine_spec.rb:27 # Network Access Control Policy Engine returns different responses for different device types expressed in the TLS-Client-Cert-Subject-Alt-Name-Dns field

rspec /spec/policy_engine_spec.rb:43 # Network Access Control Policy Engine returns a policy match based on the TLS-Cert-Issuer attribute

rspec /spec/policy_engine_spec.rb:56 # Network Access Control Policy Engine Prioritises policies

rspec /spec/policy_engine_spec.rb:77 # Network Access Control Policy Engine supports "contains" syntax

rspec /spec/eap_spec.rb:8 # Network Access Control Authentication Methods EAP Authenticates EAP-TLS I isolated this one in order to compare the output against the output of a correct one (I had to invert the passing test to get the output.)

Snippet of failing test that differs

+RADIUS packet matching with station +decapsulated EAP packet (code=1 id=123 len=6) from RADIUS server: EAP-Request-TLS (13) +EAPOL: Received EAP-Packet frame +EAPOL: SUPP_BE entering state REQUEST +EAPOL: getSuppRsp +EAP: EAP entering state RECEIVED +EAP: Received EAP-Request id=123 method=13 vendor=0 vendorMethod=0 +EAP: EAP entering state METHOD +SSL: Received packet(len=6) - Flags 0x00 +SSL: 49 bytes left to be sent out (of total 2845 bytes) +EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x7efe1892adb0

   +EAP: EAP entering state SEND_RESPONSE
   +EAP: EAP entering state IDLE
   +EAPOL: SUPP_BE entering state RESPONSE
   +EAPOL: txSuppRsp
   +WPA: eapol_test_eapol_send(type=0 len=55)
   +TX EAP -> RADIUS - hexdump(len=55): 02 7b 00 37 0d 00 03 00 01 01 16 03 03 00 28 ab 1e 19 fb ba a5 c8 24 62 37 94 90 b5 23 2a d4 d9 ba 60 23 5b 3b fa 0b 00 f3 68 66 b5 fe 22 55 4e 7b bf a9 d6 a3 6d f6

Equivalent in passing test

+RADIUS packet matching with station +decapsulated EAP packet (code=1 id=113 len=61) from RADIUS server: EAP-Request-TLS (13) +EAPOL: Received EAP-Packet frame +EAPOL: SUPP_BE entering state REQUEST +EAPOL: getSuppRsp +EAP: EAP entering state RECEIVED +EAP: Received EAP-Request id=113 method=13 vendor=0 vendorMethod=0 +EAP: EAP entering state METHOD +SSL: Received packet(len=61) - Flags 0x80 +SSL: TLS Message Length: 51 +OpenSSL: RX ver=0x303 content_type=256 (TLS header info/) +OpenSSL: Message - hexdump(len=5): 14 03 03 00 01 +SSL: (where=0x1001 ret=0x1) +SSL: SSL_connect:SSLv3/TLS write finished +OpenSSL: RX ver=0x303 content_type=256 (TLS header info/) +OpenSSL: Message - hexdump(len=5): 16 03 03 00 28 +SSL: (where=0x1001 ret=0x1) +SSL: SSL_connect:SSLv3/TLS read change cipher spec +OpenSSL: RX ver=0x303 content_type=22 (handshake/finished) +OpenSSL: Message - hexdump(len=16): 14 00 00 0c 9b 0e 03 36 9b 75 2b f5 7b 07 55 3f +SSL: (where=0x1001 ret=0x1) +SSL: SSL_connect:SSLv3/TLS read finished +SSL: (where=0x20 ret=0x1) +SSL: (where=0x1002 ret=0x1) +SSL: 0 bytes pending from ssl_out +OpenSSL: Handshake finished - resumed=0 +SSL: No Application Data included +SSL: Using TLS version TLSv1.2 +SSL: No data to be sent out +EAP-TLS: Done +EAP-TLS: Derived key - hexdump(len=64): 50 7d f2 ff 2c f0 4b 02 4e af 31 17 da c2 0a 5a 66 37 0a 8b f5 0f 1a dd 7e 34 9b 15 fe f9 d8 4c a1 57 58 ea af d5 ac ab 23 f0 ae 31 91 fd eb 43 f9 55 cb 22 de a8 1c 06 01 8f e6 90 fa 72 0d f4 +EAP-TLS: Derived EMSK - hexdump(len=64): d8 1c be ee 00 45 f0 fb d3 b0 b9 01 33 d9 e9 9e c4 30 8f 81 9e 47 aa b7 67 5b 0c 24 4f 75 c1 c3 da c4 7b f5 c7 c1 de dd cf c4 bd cd 67 3f 87 f0 ea 3d 28 f9 c4 2d 53 dc 3c dd 59 0a 44 fe 8c cb +EAP-TLS: Derived Session-Id - hexdump(len=65): 0d e9 8f 42 51 e0 2f 00 09 bf 04 13 c9 26 8c e9 38 1b 33 a9 69 6a 55 3b b4 d7 74 54 2c 14 a2 7a e3 9f 09 3d 2c 40 3c ea c0 c9 e8 f1 19 4e 89 ac 01 d4 6c d7 58 14 ad 44 f0 7c c6 26 3e a2 0d 5e c4 +SSL: Building ACK (type=13 id=113 ver=0) +EAP: method process -> ignore=FALSE methodState=DONE decision=UNCOND_SUCC eapRespData=0x7efe48ef9f80 +EAP: Session-Id - hexdump(len=65): 0d e9 8f 42 51 e0 2f 00 09 bf 04 13 c9 26 8c e9 38 1b 33 a9 69 6a 55 3b b4 d7 74 54 2c 14 a2 7a e3 9f 09 3d 2c 40 3c ea c0 c9 e8 f1 19 4e 89 ac 01 d4 6c d7 58 14 ad 44 f0 7c c6 26 3e a2 0d 5e c4 +EAP: EAP entering state SEND_RESPONSE +EAP: EAP entering state IDLE +EAPOL: SUPP_BE entering state RESPONSE +EAPOL: txSuppRsp +WPA: eapol_test_eapol_send(type=0 len=6) +TX EAP -> RADIUS - hexdump(len=6): 02 71 00 06 0d 00

smjmoj commented 1 year ago

Updated the integration test to use Alpine 3.18 https://github.com/ministryofjustice/network-access-control-integration-tests/tree/feature/168-upgrade-openssl-3-18

This change by @darey-io https://github.com/ministryofjustice/network-access-control-server/tree/openssl-upgrade-fix

Has tested and passed.

19 examples, 0 failures
juddin927 commented 1 year ago

Further testing to be completed by LANs some example test cases https://docs.google.com/document/d/1SMPPV3b32VvE0nB6BwrCUgQ8WV9oVXZ_aA65m5PHNGc/edit

babatundek commented 1 year ago

This is done pending testing from the LAN WIFI side