FR 1.1.6 EAP - TLS rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate

Sun Apr 29 09:28:58 CEST 2007

Hi David,

Thanks for your help! I use the port version of FR and also use portupgrade.

The FreeBSD base OpenSSL is indeed rather old, so I did have OpenSSL
(With_overwrite_Base) already installed from the ports.

I found something wrong with the server certificates (very strange, because
nothing has been altered). I don't know what this means (yet).
I'm rebuilding my OpenSSL port with make clean && make reinstall and have
removed all files in /usr/local/etc/raddb. So FR the port will install a
clean version.

Then I will compare files manually and see what changes there have been.

---

defiant.unix.asp.com.pem:
/C=NL/ST=Utrecht/L=Utrecht/O=UNIX-ASP.COM/OU=Support/CN=unix-asp.com/emailAd
dress=support at unix-asp.com
error 18 at 0 depth lookup:self signed certificate
/C=NL/ST=Utrecht/L=Utrecht/O=UNIX-ASP.COM/OU=Support/CN=unix-asp.com/emailAd
dress=support at unix-asp.com
error 7 at 0 depth lookup:certificate signature failure
25385:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type
is not
01:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_pk1.
c:100:
25385:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check
failed:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_
eay.c:625:
25385:error:0D089006:asn1 encoding routines:ASN1_verify:EVP
lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_veri
fy.c:162:

Regards,
Remy.

-----Original Message-----
From: freeradius-users-bounces+remy=unix-asp.com at lists.freeradius.org
[mailto:freeradius-users-bounces+remy=unix-asp.com at lists.freeradius.org] On
Behalf Of David Wood
Sent: zondag 29 april 2007 0:38
To: FreeRadius users mailing list
Subject: Re: FR 1.1.6 EAP - TLS rlm_eap_tls: <<< TLS 1.0 Alert [length
0002], fatal bad_certificate

Hi Remy and everyone,

In message <200704281849.l3SInfTu086460 at mxdrop40.xs4all.nl>, Remy de 
Ruysscher <remy at unix-asp.com> writes
>I just upgrade FR 1.1.4 to 1.1.6 on FreeBSD 6.1. And FR has always
>worked wonderfully for me in the past.

I'm the maintainer of the FreeBSD port. My 6.2-RELEASE-p2 i386 system 
uses EAP-TLS - and it works fine, so it is probably something with your 
setup. I'm assuming you're using the port - though you didn't say so 
specifically.

I use the OpenSSL port - and suggest you do too, as the version of 
OpenSSL in the base system is rather old. If you've got the OpenSSL port 
installed, the FreeRADIUS port will notice and make use of it 
automatically. The package, meanwhile, uses the base OpenSSL. If you 
install the OpenSSL port, you'll need to rebuild the FreeRADIUS port for 
FreeRADIUS to use it.

If you have portupgrade installed, and want to switch to using the 
OpenSSL port, try:

portupgrade -N security/openssl
portupgrade -f net/freeradius
/usr/local/etc/rc.d/radius start

I suggest you also rebuild any other ports that use OpenSSL if you've 
installed the OpenSSL port for the first time. Use portupgrade -f or 
similar.

Of course, it could be that your server certificate is actually bad. Do 
the results of:

openssl verify -CAfile demoCA/cacert.pem -verbose cert-srv.pem

and

openssl x509 -in cert-srv.pem -noout -text

look OK?

You may need to adjust the filenames according to your environment - I'm 
presuming that you're in your raddb certificates folder.

If you have the OpenSSL port installed, I suggest you explicitly use 
/usr/local/bin/openssl instead of openssl in the commands above.

The handling of raddb upgrading has changed significantly from version 
1.1.4 of the port to 1.1.6. It's just possible that your certificates 
have got stomped on if they are in /usr/local/etc/raddb/certs (adjusted 
accordingly if you have a non-standard ${PREFIX}), but I can't think 
why, as the script is fairly careful in checking before overwriting 
anything in raddb.

That said, the new behaviour on uninstallation is to check any files in 
raddb against the distribution, and delete unmodified files. On 
installation, it copies the distribution files to raddb unless there's 
already a file of the same name. It's possible that your upgrade to 
1.1.6 has created mixed versions (new uncustomised files and your 
customisations based on a rather older version of FreeRADIUS) - and 
that's introduced a problem, though I feel this is unlikely.

My favourite is either there's something wrong with your server 
certificate, or it's a problem with the base system OpenSSL that you can 
cure by moving to the OpenSSL port.

I'd be interested to know how you get on, particularly if the problem 
turns out to be something different.

If you want a tarball of the 1.1.4 port, email me - I can pull out the 
last version of 1.1.4 from my local Subversion repository before I 
upgraded the port to 1.1.5. There were a lot of fixes in the 1.1.4 
timeframe - there was a 1.1.4 port on 15 January 2007, 1.1.4_1 on 18 
January 2007, and a rewrap of 1.1.4_1 on 23 January 2007.

The 15 January -> 18 January transition merely disabled rlm_sql_firebird 
(otherwise the port failed to build with experimental modules disabled). 
The 18 January -> 23 January 2007 update contained a bunch of fixes, 
including the first version of the revised raddb handling (the very 
first time that the port touched files other than those suffixed .sample 
in raddb).

http://www.freshports.org/net/freeradius/ will walk you through the 
changes in more detail, though my local Subversion repository is more 
finely grained. There were two further changes before I upgraded to 
1.1.5 - support for the freeradius-mysql slave port, and a change to the 
current version of raddb handling.

However, I hope we can get the 1.1.6 port working on your machine, and I 
don't have to unravel the many changes made from the last version of 
1.1.4_1 through 1.1.5 to 1.1.6.

Best wishes,

David
-- 
David Wood
david at wood2.org.uk
- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html