EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01

Swaraj swaraj.vutturi at redpinesignals.com
Tue Nov 20 13:38:39 CET 2012 

Hi All,

I'm using Freeradius server2.1.12 on x86 fedora14. My client is using 
(armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius 
server I am receiving the following errors.
Do we require different certificates for arm boards, as I was able to 
run without any issues on x86 with same certificates.

openssl version is 0.98g (on arm board)
openssl version is 1.0.0a-fips (on x86 free radius server 2.1.12)


/*ERROR:
-----------
*/
rad_recv: Access-Request packet from host 10.0.0.70 port 2050, id=8, 
length=166
     User-Name = "testuser"
     NAS-IP-Address = 127.0.0.1
     NAS-Port = 0
     Called-Station-Id = "68-7F-74-64-0A-AA:linksys"
     Calling-Station-Id = "00-23-A7-3B-29-2C"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11"
     EAP-Message = 0x020300060d00
     State = 0xba89e950b88ae454eff4b9964b6ca194
     Message-Authenticator = 0x3f69e77da835e1450b33224899e816b2
Tue Nov 20 16:48:05 2012 : Info: # Executing section authorize from file 
/usr/local/etc/raddb/radiusd.conf
Tue Nov 20 16:48:05 2012 : Info: +- entering group authorize {...}
Tue Nov 20 16:48:05 2012 : Info: ++[preprocess] returns ok
Tue Nov 20 16:48:05 2012 : Info: ++[chap] returns noop
Tue Nov 20 16:48:05 2012 : Info: ++[mschap] returns noop
Tue Nov 20 16:48:05 2012 : Info: [suffix] No '@' in User-Name = 
"testuser", looking up realm NULL
Tue Nov 20 16:48:05 2012 : Info: [suffix] No such realm "NULL"
Tue Nov 20 16:48:05 2012 : Info: ++[suffix] returns noop
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP packet type response id 3 
length 6
Tue Nov 20 16:48:05 2012 : Info: [eap] No EAP Start, assuming it's an 
on-going EAP conversation
Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns updated
Tue Nov 20 16:48:05 2012 : Info: [files] users: Matched entry testuser 
at line 131
Tue Nov 20 16:48:05 2012 : Info: ++[files] returns ok
Tue Nov 20 16:48:05 2012 : Info: Found Auth-Type = EAP
Tue Nov 20 16:48:05 2012 : Info: # Executing group from file 
/usr/local/etc/raddb/radiusd.conf
Tue Nov 20 16:48:05 2012 : Info: +- entering group authenticate {...}
Tue Nov 20 16:48:05 2012 : Info: [eap] Request found, released from the list
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP/tls
Tue Nov 20 16:48:05 2012 : Info: [eap] processing type tls
Tue Nov 20 16:48:05 2012 : Info: [tls] Authenticate
Tue Nov 20 16:48:05 2012 : Info: [tls] processing EAP-TLS
Tue Nov 20 16:48:05 2012 : Info: [tls] Received TLS ACK
Tue Nov 20 16:48:05 2012 : Info: [tls] ACK handshake fragment handler
Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_verify returned 1
Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_process returned 13
Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns handled
Sending Access-Challenge of id 8 to 10.0.0.70 port 2050
     EAP-Message = 
0x0104020d0d80000005f9bd300c0603551d13040530030101ff301d0603551d0e04160414b3807b965fdd9f8fee8fca751d47bf2aebac11fd30818d0603551d230481853081828014b3807b965fdd9f8fee8fca751d47bf2aebac11fda15fa45d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613026161310a30080603550403130161820900958dbc5fc22a1e39300d06092a864886f70d010104050003818100a8e4f602c2235087e8a8e93f610ce12e5e3e6a54103b1dccc56529aab99cc32649af
     EAP-Message = 
0x88b6fb15bdb71452ca8657933581fd72e30615d551ba01f76475e2809c53ca6c798138de31621f62e3644e3f847199de6a1a00ce71c631e200b4cf2747a9714a7bb778fec35669dd1c63102371576fc66ec5bbdf2c9f4fd956782216a10b16030100ad0d0000a502010200a0003f303d310b3009060355040613026161310a30080603550408130161310a3008060355040a130161310a3008060355040b130161310a30080603550403130161005d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613
     EAP-Message = 0x026161310a300806035504031301610e000000
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0xba89e950b98de454eff4b9964b6ca194
Tue Nov 20 16:48:05 2012 : Info: Finished request 8.
Tue Nov 20 16:48:05 2012 : Debug: Going to the next request
Tue Nov 20 16:48:05 2012 : Debug: Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 10.0.0.70 port 2050, id=9, 
length=1287
     User-Name = "testuser"
     NAS-IP-Address = 127.0.0.1
     NAS-Port = 0
     Called-Station-Id = "68-7F-74-64-0A-AA:linksys"
     Calling-Station-Id = "00-23-A7-3B-29-2C"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11"
     EAP-Message = 
0x0204045f0d0016030103030b0002ff0002fc0002f9308202f53082025ea003020102020900958dbc5fc22a1e39300d06092a864886f70d0101040500305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613026161310a30080603550403130161301e170d3132313132303037323635345a170d3133313132303037323635345a305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161
     EAP-Message = 
0x310b3009060355040613026161310a3008060355040313016130819f300d06092a864886f70d010101050003818d0030818902818100c540ed9194e10dff976f8c5633f0a189b4fd92029fd865cb7d955134b15f837c2000b6a3637d3305d93c9bc78808b351d4639c51f4b4a4e10210fd9bb5b598af417e2eda12167a653844b7b84429ae3b60908553113a9c654ee2e4df1357c096e731713d5737f82a374c3ca853596e44504f907fea3920d343ca7904e7fef8190203010001a381c03081bd300c0603551d13040530030101ff301d0603551d0e04160414b3807b965fdd9f8fee8fca751d47bf2aebac11fd30818d0603551d2304818530818280
     EAP-Message = 
0x14b3807b965fdd9f8fee8fca751d47bf2aebac11fda15fa45d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613026161310a30080603550403130161820900958dbc5fc22a1e39300d06092a864886f70d010104050003818100a8e4f602c2235087e8a8e93f610ce12e5e3e6a54103b1dccc56529aab99cc32649af88b6fb15bdb71452ca8657933581fd72e30615d551ba01f76475e2809c53ca6c798138de31621f62e3644e3f847199de6a1a00ce71c631e200b4cf2747a9714a7bb778fec35669
     EAP-Message = 
0xdd1c63102371576fc66ec5bbdf2c9f4fd956782216a10b16030100861000008200808f6734075327889217defd03c1462e4298d446341f95825d3d31df536c87ed3aa4959c0e34841d5e733c27c4b106529a8c6dc2f0ae48b83d1c83c2bc57731bd41a0716eac597d5b6e7143ca8e7b1036c3d7d84463a80c575b3a37ad37053a389a8f30a94a395105a62b18ac8f263fbe48f8e050533c1f77fa8e2467c25a606e216030100860f00008200803d2ea04829dfd6dccbec15de9fdcae6f0fffb862e69a110d172eda2d8c69baaf4e4b9627f4c88abd8875e7d54b0eb8d66f597f290d1bf381c1ca0a2a7e8fb430a74fcaf0dae9b23537a41d1ab9bff2fb
     EAP-Message = 
0x1849da1f7906027ca97729405b53eda8680767a719962059a67cd451dc8f1bd30d4cec89234ea9c408d13fb4c2c0c6bc1403010001011603010030b8b9b7a2f1fcb703eca33336508b26fa17344530ab8cc6f48edbf0210a6ddad56fcc0d9b9e7ebed01f532216f6dda1e7
     State = 0xba89e950b98de454eff4b9964b6ca194
     Message-Authenticator = 0x07338a39dd069d06794136bf8f63b62f
Tue Nov 20 16:48:05 2012 : Info: # Executing section authorize from file 
/usr/local/etc/raddb/radiusd.conf
Tue Nov 20 16:48:05 2012 : Info: +- entering group authorize {...}
Tue Nov 20 16:48:05 2012 : Info: ++[preprocess] returns ok
Tue Nov 20 16:48:05 2012 : Info: ++[chap] returns noop
Tue Nov 20 16:48:05 2012 : Info: ++[mschap] returns noop
Tue Nov 20 16:48:05 2012 : Info: [suffix] No '@' in User-Name = 
"testuser", looking up realm NULL
Tue Nov 20 16:48:05 2012 : Info: [suffix] No such realm "NULL"
Tue Nov 20 16:48:05 2012 : Info: ++[suffix] returns noop
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP packet type response id 4 
length 253
Tue Nov 20 16:48:05 2012 : Info: [eap] No EAP Start, assuming it's an 
on-going EAP conversation
Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns updated
Tue Nov 20 16:48:05 2012 : Info: [files] users: Matched entry testuser 
at line 131
Tue Nov 20 16:48:05 2012 : Info: ++[files] returns ok
Tue Nov 20 16:48:05 2012 : Info: Found Auth-Type = EAP
Tue Nov 20 16:48:05 2012 : Info: # Executing group from file 
/usr/local/etc/raddb/radiusd.conf
Tue Nov 20 16:48:05 2012 : Info: +- entering group authenticate {...}
Tue Nov 20 16:48:05 2012 : Info: [eap] Request found, released from the list
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP/tls
Tue Nov 20 16:48:05 2012 : Info: [eap] processing type tls
Tue Nov 20 16:48:05 2012 : Info: [tls] Authenticate
Tue Nov 20 16:48:05 2012 : Info: [tls] processing EAP-TLS
Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_verify returned 7
Tue Nov 20 16:48:05 2012 : Info: [tls] Done initial handshake
Tue Nov 20 16:48:05 2012 : Info: [tls] <<< TLS 1.0 Handshake [length 
0303], Certificate
Tue Nov 20 16:48:05 2012 : Info: [tls] chain-depth=0,
Tue Nov 20 16:48:05 2012 : Info: [tls] error=0
Tue Nov 20 16:48:05 2012 : Info: [tls] --> User-Name = testuser
Tue Nov 20 16:48:05 2012 : Info: [tls] --> BUF-Name = a
Tue Nov 20 16:48:05 2012 : Info: [tls] --> subject = 
/O=a/OU=a/emailAddress=a/L=a/ST=a/C=aa/CN=a
Tue Nov 20 16:48:05 2012 : Info: [tls] --> issuer  = 
/O=a/OU=a/emailAddress=a/L=a/ST=a/C=aa/CN=a
Tue Nov 20 16:48:05 2012 : Info: [tls] --> verify return:1
/*Tue Nov 20 16:48:05 2012 : Info: [tls]     TLS_accept: SSLv3 read 
client certificate A
Tue Nov 20 16:48:05 2012 : Info: [tls] <<< TLS 1.0 Handshake [length 
0086], ClientKeyExchange
Tue Nov 20 16:48:05 2012 : Info: [tls]     TLS_accept: SSLv3 read client 
key exchange A
Tue Nov 20 16:48:05 2012 : Info: [tls] <<< TLS 1.0 Handshake [length 
0086], CertificateVerify
Tue Nov 20 16:48:05 2012 : Info: [tls] >>> TLS 1.0 Alert [length 0002], 
fatal decrypt_error
Tue Nov 20 16:48:05 2012 : Error: TLS Alert write:fatal:decrypt error
Tue Nov 20 16:48:05 2012 : Error:     TLS_accept: failed in SSLv3 read 
certificate verify B
Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa 
routines:RSA_padding_check_PKCS1_type_1:block type is not 01
Tue Nov 20 16:48:05 2012 : Error: SSL: SSL_read failed inside of TLS 
(-1), TLS session fails.
Tue Nov 20 16:48:05 2012 : Debug: TLS receive handshake failed during 
operation
*/Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_process returned 4
Tue Nov 20 16:48:05 2012 : Info: [eap] Handler failed in EAP/tls
Tue Nov 20 16:48:05 2012 : Info: [eap] Failed in EAP select
Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns invalid
Tue Nov 20 16:48:05 2012 : Info: Failed to authenticate the user.
Tue Nov 20 16:48:05 2012 : Info: Delaying reject of request 9 for 1 seconds
Tue Nov 20 16:48:05 2012 : Debug: Going to the next request
Tue Nov 20 16:48:05 2012 : Debug: Waking up in 0.3 seconds.
Tue Nov 20 16:48:05 2012 : Info: Cleaning up request 4 ID 4 with 
timestamp +1948
Tue Nov 20 16:48:05 2012 : Debug: Waking up in 0.6 seconds.
Tue Nov 20 16:48:06 2012 : Info: Sending delayed reject for request 9
Sending Access-Reject of id 9 to 10.0.0.70 port 2050
     EAP-Message = 0x04040004
     Message-Authenticator = 0x00000000000000000000000000000000
Tue Nov 20 16:48:06 2012 : Debug: Waking up in 3.7 seconds.
Tue Nov 20 16:48:10 2012 : Info: Cleaning up request 5 ID 5 with 
timestamp +1954



I created certificates with the following commands:
--------------------------------------------------------------------

/* CA root */
*/openssl req -new -x509 -extensions v3_ca -keyout  private/cakey.pem 
-out cacert.pem -days 365 -config ./openssl.cnf
/*
/* Certificates Request */
/*openssl req -new -nodes -out redpine-req.pem -keyout 
private/redpine-key.pem -days 365 -config ./openssl.cnf
*/
/* Signing the certificates with ca root certificate generated in 
section CA root */
/*openssl ca -out redpine-cert.pem -days 365 -config ./openssl.cnf 
-infiles redpine-req.pem
*/
/Concatenating all certificates:
*
cat redpine-key.pem redpine-cert.pem cacert.pem > imx53.pem


*/Thanks & Regards,
Swaraj
/*

*/





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121120/266676d9/attachment-0001.html>

More information about the Freeradius-Users mailing list