Problem setting up EAP-TLS with hostap

Chris Anderson cjanderson at yandex.com
Sun Jan 12 23:32:17 CET 2014


Thank you all. I got it working but using the certificates that I have for openvpn.

The strange thing is that when you actually do a dump of the key using the build system (Makefiles and cnf) in the gentoo /etc/raddb/certs directory the length is zero. There doesn't appear to be a key in there.

But all I needed to know was that I was heading in the right direction.

Kind regards

Chris

12.01.2014, 13:12, "Alan DeKok" <aland at deployingradius.com>:
> Chris Anderson wrote:
>
>>  When I run freeradius with the -X option I get the following log
>
>   Attaching it in-line or as a ".txt" file would have been friendlier.
>
>   Anyways, the key lines are:
>
> [tls] <<< TLS 1.0 Alert [length 0002], fatal decrypt_error
> TLS Alert read:fatal:decrypt error
>     TLS_accept: failed in SSLv3 read client certificate A
> rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1
> alert decrypt error
>
>   Your certificates / CA don't match.  SSL isn't magic, but it fragile.
>
>   Follow the instructions on my web site: http://deployingradius.com/
>
>   Once you have it working with test certificates, then follow the
> *same* procedure with real certificates.  It *will* work.
>
>   The only way to keep SSL happy is a careful application of procedure.
>  If you skip a step, then the certificate chain doesn't make sense to
> SSL, and it will fail.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list