EAP-TLS - TLS 1.0 Alert [length 0002], fatal internal_error

Alan DeKok aland at deployingradius.com
Wed Jan 14 17:44:38 CET 2015


On Jan 14, 2015, at 2:00 AM, PENZ Robert <ROBERT.PENZ at TIROL.GV.AT> wrote:
> We're running openssl-1.0.1e-30.el6_6.4.x86_64 and freeradius-2.1.12-6.el6.x86_64 o

  Upgrade to 2.2.6.  You don’t have to put it in production, but you can at least test it.

  If 2.2.6 works… then upgrade your production systems to it.

> n a RHEL6. We're using EAP-TLS with Windows clients and IP phones with no problems. Now we want to add MFD systems from Canon also as clients and we get following openssl error, while running free radius in debug mode.  The error happens already on the second packet the radius server gets from the MFD.

  Many vendors have *terrible* implementations of EAP.  They should just use wpa_supplicant.

> Tue Jan 13 16:19:31 2015 : Info: [tls] <<< TLS 1.0 Handshake [length 005c], ClientHello  
> Tue Jan 13 16:19:31 2015 : Info: [tls] >>> TLS 1.0 Alert [length 0002], fatal internal_error  
> Tue Jan 13 16:19:31 2015 : Error: TLS Alert write:fatal:internal error

  Something bad happened in OpenSSL.

> Tue Jan 13 16:19:31 2015 : Error:     TLS_accept: error in SSLv3 read client hello C
> Tue Jan 13 16:19:31 2015 : Error: rlm_eap: SSL error error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext

  Hmm… OpenSSL doesn’t like the tls extensions sent by the Canon systems.

  In short.. there’s little you can do.  Call Canon and tell them to test their systems with OpenSSL.

  This is all weird SSL stuff that I try to avoid.  SSL is insanely complicated.  The OpenSSL code is worse. :(

  Alan DeKok.



More information about the Freeradius-Users mailing list