FR 1.1.6 EAP - TLS rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate

Sun Apr 29 00:38:18 CEST 2007

Hi Remy and everyone,

In message <200704281849.l3SInfTu086460 at mxdrop40.xs4all.nl>, Remy de 
Ruysscher <remy at unix-asp.com> writes
>I just upgrade FR 1.1.4 to 1.1.6 on FreeBSD 6.1. And FR has always
>worked wonderfully for me in the past.

I'm the maintainer of the FreeBSD port. My 6.2-RELEASE-p2 i386 system 
uses EAP-TLS - and it works fine, so it is probably something with your 
setup. I'm assuming you're using the port - though you didn't say so 
specifically.

I use the OpenSSL port - and suggest you do too, as the version of 
OpenSSL in the base system is rather old. If you've got the OpenSSL port 
installed, the FreeRADIUS port will notice and make use of it 
automatically. The package, meanwhile, uses the base OpenSSL. If you 
install the OpenSSL port, you'll need to rebuild the FreeRADIUS port for 
FreeRADIUS to use it.

If you have portupgrade installed, and want to switch to using the 
OpenSSL port, try:

portupgrade -N security/openssl
portupgrade -f net/freeradius
/usr/local/etc/rc.d/radius start

I suggest you also rebuild any other ports that use OpenSSL if you've 
installed the OpenSSL port for the first time. Use portupgrade -f or 
similar.

Of course, it could be that your server certificate is actually bad. Do 
the results of:

openssl verify -CAfile demoCA/cacert.pem -verbose cert-srv.pem

and

openssl x509 -in cert-srv.pem -noout -text

look OK?

You may need to adjust the filenames according to your environment - I'm 
presuming that you're in your raddb certificates folder.

If you have the OpenSSL port installed, I suggest you explicitly use 
/usr/local/bin/openssl instead of openssl in the commands above.

The handling of raddb upgrading has changed significantly from version 
1.1.4 of the port to 1.1.6. It's just possible that your certificates 
have got stomped on if they are in /usr/local/etc/raddb/certs (adjusted 
accordingly if you have a non-standard ${PREFIX}), but I can't think 
why, as the script is fairly careful in checking before overwriting 
anything in raddb.

That said, the new behaviour on uninstallation is to check any files in 
raddb against the distribution, and delete unmodified files. On 
installation, it copies the distribution files to raddb unless there's 
already a file of the same name. It's possible that your upgrade to 
1.1.6 has created mixed versions (new uncustomised files and your 
customisations based on a rather older version of FreeRADIUS) - and 
that's introduced a problem, though I feel this is unlikely.

My favourite is either there's something wrong with your server 
certificate, or it's a problem with the base system OpenSSL that you can 
cure by moving to the OpenSSL port.

I'd be interested to know how you get on, particularly if the problem 
turns out to be something different.

If you want a tarball of the 1.1.4 port, email me - I can pull out the 
last version of 1.1.4 from my local Subversion repository before I 
upgraded the port to 1.1.5. There were a lot of fixes in the 1.1.4 
timeframe - there was a 1.1.4 port on 15 January 2007, 1.1.4_1 on 18 
January 2007, and a rewrap of 1.1.4_1 on 23 January 2007.

The 15 January -> 18 January transition merely disabled rlm_sql_firebird 
(otherwise the port failed to build with experimental modules disabled). 
The 18 January -> 23 January 2007 update contained a bunch of fixes, 
including the first version of the revised raddb handling (the very 
first time that the port touched files other than those suffixed .sample 
in raddb).

http://www.freshports.org/net/freeradius/ will walk you through the 
changes in more detail, though my local Subversion repository is more 
finely grained. There were two further changes before I upgraded to 
1.1.5 - support for the freeradius-mysql slave port, and a change to the 
current version of raddb handling.

However, I hope we can get the 1.1.6 port working on your machine, and I 
don't have to unravel the many changes made from the last version of 
1.1.4_1 through 1.1.5 to 1.1.6.

Best wishes,

David
-- 
David Wood
david at wood2.org.uk