EAP-TLS - TLS 1.0 Alert [length 0002], fatal internal_error

PENZ Robert robert.penz at tirol.gv.at
Wed Jan 14 08:00:02 CET 2015 

Hi!

We're running openssl-1.0.1e-30.el6_6.4.x86_64 and freeradius-2.1.12-6.el6.x86_64 on a RHEL6. We're using EAP-TLS with Windows clients and IP phones with no problems. Now we want to add MFD systems from Canon also as clients and we get following openssl error, while running free radius in debug mode.  The error happens already on the second packet the radius server gets from the MFD.

First Packet:

Tue Jan 13 16:19:31 2015 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.15.132.2 port 39460, id=212, length=143
        User-Name = "jwf68365.mfp.tirol.local"
        EAP-Message = 0x0212001d016a776636383336352e6d66702e7469726f6c2e6c6f63616c
        NAS-IP-Address = 10.15.132.2
        Service-Type = Login-User
        Calling-Station-Id = "F4-81-39-C8-00-CE"
        NAS-Port-Id = "1:3"
        NAS-Port = 1003
        NAS-Port-Type = Ethernet
        Message-Authenticator = 0x46be9f4cbce0fb5c68c67280b8ff5784
....
Tue Jan 13 16:19:31 2015 : Info: [eap] EAP Identity
Tue Jan 13 16:19:31 2015 : Info: [eap] processing type tls
Tue Jan 13 16:19:31 2015 : Info: [tls] Requiring client certificate
Tue Jan 13 16:19:31 2015 : Info: [tls] Initiate
Tue Jan 13 16:19:31 2015 : Info: [tls] Start returned 1
....
Sending Access-Challenge of id 212 to 10.15.132.2 port 39460
        EAP-Message = 0x011300060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xea9fd73aea8cdaa07914c31bfc979134

Second Packet:

Tue Jan 13 16:19:31 2015 : Debug: Going to the next request
Tue Jan 13 16:19:31 2015 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.15.132.2 port 39460, id=213, length=239
        User-Name = "jwf68365.mfp.tirol.local"
        EAP-Message = 0x0213006b0d8000000061160301005c01000058030154b537821306fa9c57603eb40ab2f22a9b3cdcc496fa91589413aa835503a4d400001e002f0035000400050009000a00030008c013c014c009c00a00330039001601000011000a00080006001700180019000b000100
        NAS-IP-Address = 10.15.132.2
        Service-Type = Login-User
        Calling-Station-Id = "F4-81-39-C8-00-CE"
        NAS-Port-Id = "1:3"
        NAS-Port = 1003
        NAS-Port-Type = Ethernet
        State = 0xea9fd73aea8cdaa07914c31bfc979134
        Message-Authenticator = 0x2482cae69f6e75122c8a7fd7bbbf72a2
.......
Tue Jan 13 16:19:31 2015 : Info: [eap] EAP packet type response id 19 length 107
Tue Jan 13 16:19:31 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Tue Jan 13 16:19:31 2015 : Info: +++[eap] returns updated
Tue Jan 13 16:19:31 2015 : Info: ++- else else returns updated
Tue Jan 13 16:19:31 2015 : Info: Found Auth-Type = EAP
Tue Jan 13 16:19:31 2015 : Info: # Executing group from file /etc/raddb//sites-enabled/default
Tue Jan 13 16:19:31 2015 : Info: +- entering group EAP {...}
Tue Jan 13 16:19:31 2015 : Info: [eap] Request found, released from the list
Tue Jan 13 16:19:31 2015 : Info: [eap] EAP/tls
Tue Jan 13 16:19:31 2015 : Info: [eap] processing type tls
Tue Jan 13 16:19:31 2015 : Info: [tls] Authenticate
Tue Jan 13 16:19:31 2015 : Info: [tls] processing EAP-TLS
Tue Jan 13 16:19:31 2015 : Debug:   TLS Length 97
Tue Jan 13 16:19:31 2015 : Info: [tls] Length Included
Tue Jan 13 16:19:31 2015 : Info: [tls] eaptls_verify returned 11 
Tue Jan 13 16:19:31 2015 : Info: [tls]     (other): before/accept initialization
Tue Jan 13 16:19:31 2015 : Info: [tls]     TLS_accept: before/accept initialization
Tue Jan 13 16:19:31 2015 : Info: [tls] <<< TLS 1.0 Handshake [length 005c], ClientHello  
Tue Jan 13 16:19:31 2015 : Info: [tls] >>> TLS 1.0 Alert [length 0002], fatal internal_error  
Tue Jan 13 16:19:31 2015 : Error: TLS Alert write:fatal:internal error
Tue Jan 13 16:19:31 2015 : Error:     TLS_accept: error in SSLv3 read client hello C
Tue Jan 13 16:19:31 2015 : Error: rlm_eap: SSL error error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext
Tue Jan 13 16:19:31 2015 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
Tue Jan 13 16:19:31 2015 : Debug: TLS receive handshake failed during operation
Tue Jan 13 16:19:31 2015 : Info: [tls] eaptls_process returned 4 
Tue Jan 13 16:19:31 2015 : Info: [eap] Handler failed in EAP/tls
Tue Jan 13 16:19:31 2015 : Info: [eap] Failed in EAP select
....
Sending Access-Reject of id 213 to 10.15.132.2 port 39460
        EAP-Message = 0x04130004
        Message-Authenticator = 0x00000000000000000000000000000000

Regards,
Robert Penz

More information about the Freeradius-Users mailing list