5.1.3.3.1.11. RADIUS Certificate Weak Key

In environments where authentication is carried out by certificate, it is possible to find clients who are using certificates that have keys generated with a low number of bits (normally < =1024). This number of bits is considered weak and therefore not secure for authentication.

Since by default the OpenNAC RADIUS module requires a minimum level of security, authentication attempts using such weak certificates will be failed.

If we encounter this problem, it is likely that there have been failed authentications on the platform. This can be observed both in the default OpenNAC view and in the logs through the terminal.

Error log:

Timestamp":"Nov 14 2023 12:42:12 CET","EAP-Type":13,c,"Module-Failure-Message":"eap_tls: Failed in FUNCTION (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed","Module-Failure-Message":"eap_tls: System call (I/O) error (-1)","Module-Failure-Message":"eap_tls: TLS receive handshake failed during operation","Module-Failure-Message":"eap_tls: [eaptls process] = fail","Module-Failure-Message":"eap_opennac: Failed continuing EAP TLS (13) session. EAP sub-module failed","Post-Auth-Type":2}

As we can see, the errors are evident:

- "Module-Failure-Message":"SSL says error 66 : **EE certificate key too weak**"
- "Module-Failure-Message":"eap_tls: **TLS Alert write:fatal:bad certificate**"

5.1.3.3.1.11.1. Solution:

The correct solution to this error is to redistribute the certificates to clients with a greater number of bits for the keys (>=2048). This approach ensures the problem is avoided and meets the minimum security standards.

If it is not possible to recreate and distribute these certificates, an alternative solution must be followed.

5.1.3.3.1.11.2. Workaround:

The correct solution is to redeploy certificates using RSA keys with a higher bit length. If this option is not possible, adjust the system to allow the use of smaller key sizes.

To do this, modify the system’s crypto policies:

  1. Copy the OPENNAC-WEAK-KEY.pmod file to system policies modules directory:

cp /usr/share/opennac/utils/crypto-policies/OPENNAC-WEAK-KEY.pmod /etc/crypto-policies/policies/modules/OPENNAC-WEAK-KEY.pmod

  1. Check which policy is being currently applied:

update-crypto-policies --show

  1. Apply the policy mod:

update-crypto-policies --set <ACTUAL-POLICY>:OPENNAC-WEAK-KEY

  1. Restart the RADIUS service:

systemctl restart radiusd