<META content="text/html; charset=gb2312" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19019">
<DIV><FONT color=#000080 size=2 face=Verdana>Hi,my freinds</FONT></DIV>
<DIV><FONT color=#000080> I should sum up my
problems as followed.According to RFC 5216 strictly(Fig 1),<FONT
color=#0000ff>when the server</FONT> verified a certificate valid,it should
return a packet with <STRONG><FONT color=#ff0000> </FONT><FONT
color=#000000>(TLS change_cipher_spec, TLS
finished),</FONT></STRONG><FONT color=#0000ff><STRONG>and the client is waiting
for the packet then return (EAP-Response).But please see the log(Fig 2),the
server return </STRONG><FONT color=#000000>(TLS Alert
message) packet directly lacking the up step.So i think
the freeradius is not as required by the specifications,is that
right?</FONT><BR> Best regards</FONT></FONT></DIV>
<DIV><FONT color=#000080></FONT> </DIV>
<DIV><FONT
color=#000080>
Fig 1 </FONT></DIV>
<DIV><FONT color=#000080 size=2 face=Verdana><FONT color=#000000> RFC 5216
Section 2.1 <BR><BR> Authenticating Peer Authenticator
<BR> ------------------- ------------- <BR>
<- EAP-Request/ <BR>
Identity <BR>
EAP-Response/ <BR> Identity (MyID) -> <BR>
<- EAP-Request/ <BR>
EAP-Type=EAP-TLS <BR>
(TLS Start) <BR> EAP-Response/ <BR>
EAP-Type=EAP-TLS <BR> (TLS client_hello)-> <BR>
<- EAP-Request/ <BR>
EAP-Type=EAP-TLS
<BR>
(TLS server_hello, <BR>
TLS
certificate, <BR>
[TLS server_key_exchange,] <BR>
TLS certificate_request, <BR>
TLS server_hello_done) <BR><BR>
EAP-Response/ <BR> EAP-Type=EAP-TLS <BR> (TLS
certificate, <BR> TLS client_key_exchange, <BR> TLS
certificate_verify, <BR> TLS change_cipher_spec, <BR>
TLS finished) -> <BR><BR>
</FONT><B><FONT
color=#ff0000><- EAP-Request/ <BR>
EAP-Type=EAP-TLS
<BR>
(TLS change_cipher_spec, <BR>
TLS
finished)</FONT></B><BR><FONT color=#000000> EAP-Response/
<BR> EAP-Type=EAP-TLS -> <BR>
<- EAP-Request
<BR>
EAP-Type=EAP-TLS <BR>
(TLS Alert
message) <BR> EAP-Response/ <BR> EAP-Type=EAP-TLS ->
<BR>
<- EAP-Failure <BR>
(User
Disconnected) </FONT><BR></FONT><FONT color=#000080 size=2
face=Verdana></FONT></DIV>
<DIV><FONT color=#000080 size=2
face=Verdana>
Fig 2</FONT></DIV>
<DIV><FONT color=#000080 size=2 face=Verdana><IMG src="/attachment/4567123/0/Catch1.bmp"></DIV>
<DIV><BR></DIV></FONT>
<DIV><FONT color=#000080 size=2 face=Verdana></FONT> </DIV>
<DIV><FONT color=#c0c0c0 size=2 face=Verdana>2011-07-09 </FONT></DIV><FONT
color=#000080 size=2 face=Verdana>
<HR style="WIDTH: 122px; HEIGHT: 2px" align=left SIZE=2>
</FONT>
<DIV><FONT color=#c0c0c0 size=2 face=Verdana><SPAN>yuqiang1973</SPAN>
</FONT></DIV><FONT color=#000080 size=2 face=Verdana>
<HR>
</FONT>
<DIV><FONT size=2 face=Verdana><STRONG>发件人:</STRONG> Alan DeKok-2 [via
FreeRadius] </FONT></DIV>
<DIV><FONT size=2 face=Verdana><STRONG>发送时间:</STRONG> 2011-07-09 00:21:07
</FONT></DIV>
<DIV><FONT size=2 face=Verdana><STRONG>收件人:</STRONG> yuqiang </FONT></DIV>
<DIV><FONT size=2 face=Verdana><STRONG>抄送:</STRONG> </FONT></DIV>
<DIV><FONT size=2 face=Verdana><STRONG>主题:</STRONG> Re: Missing SSL Change
Cipher Spec in EAP-TLS withClientCertificate verify failed </FONT></DIV>
<DIV><FONT size=2 face=Verdana></FONT> </DIV>
<DIV><FONT size=2 face=Verdana>Phil Mayers wrote: <BR>> EAP-TLS in FreeRADIUS
WORKS. Stop posting nonsense about RFC compliance. <BR><BR> If the
certificate verification fails, then the server is *supposed* <BR>to stop the
EAP-TLS conversation. <BR><BR>> FreeRADIUS just uses OpenSSL. OpenSSL works.
OpenSSL is compliant with <BR>> the standards. <BR>> <BR>> There is
nothing wrong with FreeRADIUS or OpenSSL. <BR><BR> Everything is working
as expected, and as required by the specifications. <BR><BR> Alan DeKok.
<BR>- <BR>List info/subscribe/unsubscribe? See <A
href="http://www.freeradius.org/list/devel.html" rel="nofollow" target=_top link="external">http://www.freeradius.org/list/devel.html</A><BR><BR><BR>
<HR color=#cccccc SIZE=1 noShade>
<DIV style="FONT: 12px tahoma,geneva,helvetica,arial,sans-serif; COLOR: #444">
<DIV style="FONT-WEIGHT: bold">If you reply to this email, your message will be
added to the discussion below:</DIV><A
href="http://freeradius.1045715.n5.nabble.com/Missing-SSL-Change-Cipher-Spec-in-EAP-TLS-with-Client-Certificate-verify-failed-tp4565228p4565389.html" target="_top" rel="nofollow" link="external">http://freeradius.1045715.n5.nabble.com/Missing-SSL-Change-Cipher-Spec-in-EAP-TLS-with-Client-Certificate-verify-failed-tp4565228p4565389.html</A>
</DIV>
<DIV
style="MARGIN-TOP: 0.4em; FONT: 11px tahoma,geneva,helvetica,arial,sans-serif; COLOR: #666">To
unsubscribe from Missing SSL Change Cipher Spec in EAP-TLS with Client
Certificate verify failed, <A
href="" target="_top" rel="nofollow" link="external">click
here</A>. </DIV></FONT></DIV>
<br/><hr align="left" width="300" />
View this message in context: <a href="http://freeradius.1045715.n5.nabble.com/Missing-SSL-Change-Cipher-Spec-in-EAP-TLS-with-Client-Certificate-verify-failed-tp4565228p4567123.html">Re: Re: Missing SSL Change Cipher Spec in EAP-TLS withClientCertificate verify failed</a><br/>
Sent from the <a href="http://freeradius.1045715.n5.nabble.com/FreeRadius-Dev-f2789673.html">FreeRadius - Dev mailing list archive</a> at Nabble.com.<br/>