definitively, I have a problem with eap-tls

Sergio sergioyebenes at alumnos.upm.es
Fri Jul 25 16:46:25 CEST 2008


Sergio escribió:
> HI,
> continuing with Reveal MAP problem with unknown ca's under eap-tls
> using default configuration....
>
> private_key_file = ${certdir}/server.pem
> certificate_file = ${certdir}/server.pem
> CA_file = ${cadir}/ca.pem
>
> freeradius tell me this:
>
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0bdb], Certificate
> --> verify error:num=24:invalid CA certificate
>   rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert write:fatal:unknown CA
>
> well, it isn't a problem:
>
> cp server.pem root.pem
> cat ca.pem >> root.pem
> then I change CA_file = ${cadir}/root.pem
>
> ......and.....eureka!!!! authentication succesfully ....but
>
> now there is a problem to check the CRL because root.pem then, something
> is wrong before making root.pem.
>
> ....well, just tell freeradius how to find certificates....
>
> c_rehash /usr/local/etc/raddb/certs also doesn't works
> I think Reveal had the same problem and I have read about this on
> mailing list but nothing.
>
> Also I've tried to install ca.pem on /etc/ssl/certs using "ln -s". Has
> somebody encountered problems with this apart from Reveal MAP and me?
>
> P.D. route certification into windows isn't a problem, only tell
> xp_supplicant who is root authority (It was logical)
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>   
Also me, sergio

restarting:

private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem

portatil:/usr/local/etc/raddb/certs# ln -s server.pem $(openssl x509
-hash -noout -in server.pem).0
portatil:/usr/local/etc/raddb/certs# ln -s ca.pem $(openssl x509 -hash
-noout -in ca.pem).0


portatil:/usr/local/etc/raddb/certs# ls -l|grep lrw
lrwxrwxrwx 1 root    root       6 2008-07-23 02:47 16593b28.0 -> ca.pem
lrwxrwxrwx 1 root    root      10 2008-07-23 02:49 7d18a7eb.0 ->
server.pem

portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . server.pem
server.pem: OK

portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . client.crt
client.crt: OK

and then, the user is rejected. The other configuration files are ok,
also wpa_supplicant. look at this Reveal, be brave jejeje.
am I forgetting something?
I have two other eap modules working ok with a diferent authority than
the server's and I'm really intrigue about this. somebody joins? jeje

regards :)





More information about the Freeradius-Users mailing list