[EAP-TLS Windows 7] Problem with chain certificate on the client side

Phil Mayers p.mayers at imperial.ac.uk
Mon Apr 30 09:44:19 CEST 2012

On 04/30/2012 07:29 AM, jinx_20 wrote:
> Phil, can you look at the certs I provided?

They look ok to me. There's no obvious reason they shouldn't verify, and 
quick tests as the CLI all passed. Are you sure these are functionally 
*identical* to the real ones you're using?

I've checked over the FR verify code; it is a pretty standard verify 
callback, and doesn't have any logic errors. It's a bit of a shame the 
FR verify callback doesn't explicitly log the subject/issuer/depth 
values for failures, and just logs the error; I wonder if that is worth 
fixing (and if it would tell us anything more in this case). But I'm 
fairly sure FR is doing nothing wrong.

Therefore, either your cert chain is mangled in some way OpenSSL doesn't 
like, OpenSSL is buggy or the client is buggy. Or something else weird 
is going on.

I don't have any suggestions I'm afraid. If you're familiar with the TLS 
protocol, you could use wireshark to capture and inspect an EAP-TLS 
conversation. The dissector will reassemble the TLS exchange, and you 
can check the correct certs are being sent over the wire in the correct 

More information about the Freeradius-Users mailing list