EAP-TLS / OpenSSL Debug Output

Ben Humpert ben at an3k.de
Wed May 27 17:13:54 CEST 2015 

2015-05-27 16:11 GMT+02:00 Alan DeKok <aland at deployingradius.com>:
> On May 26, 2015, at 6:27 PM, Ben Humpert <ben at an3k.de> wrote:
>
>   Because it's not validating the CA cert in that case.
>
[...]
>
>   Exactly.
>
[...]
>
>   Yes.
>

Thanks for clarification!

>> The debug output of the failing Android EAP-TLS attempt is below - in
>> case someone is interested.
>>
>> Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: <<< TLS 1.0 Alert
>> [length 0002], fatal unknown_ca
>> Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS Alert read:fatal:unknown CA
>> Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS_accept: Failed in
>> SSLv3 read client certificate A
>
>   The client certificate was signed by a CA unknown to FreeRADIUS.  You need to put the CA in the raddb/certs directory, and configure FreeRADIUS to read it.

The client certificate is signed by the same CA (Signing CA) that also
signed the server certificate. If I specify the Signing CA cert in
ca_file and try to connect with Android (with the Signing CA cert
specified) I get the 'unknown CA' error. If I disable ca certificate
in Android I get

Wed May 27 16:53:25 2015 : Debug: (12) eap: Peer sent method TLS (13)
Wed May 27 16:53:25 2015 : Debug: (12) eap: EAP TLS (13)
Wed May 27 16:53:25 2015 : Debug: (12) eap: Calling eap_tls to process EAP data
Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: Authenticate
Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: processing EAP-TLS
Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: eaptls_verify returned 7
Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: Done initial handshake
Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: <<< TLS 1.0 Handshake
[length 04ac], Certificate
Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: TLS Verify adding attributes
Wed May 27 16:53:25 2015 : Debug: (12) eap_tls:
&request:TLS-Cert-Serial := 'b24773ef84a841ea922f418cb40c6a24'
Wed May 27 16:53:25 2015 : Debug: (12) eap_tls:
&request:TLS-Cert-Expiration := '200521225429Z'
Wed May 27 16:53:25 2015 : Debug: (12) eap_tls:
&request:TLS-Cert-Subject := '/C=DE/ST=DE-BY/O=Example
Company/CN=Signing CA'
Wed May 27 16:53:25 2015 : Debug: (12) eap_tls:
&request:TLS-Cert-Issuer := '/C=DE/O=Example Company/CN=Root CA'
Wed May 27 16:53:25 2015 : Debug: (12) eap_tls:
&request:TLS-Cert-Common-Name := 'Signing CA'
Wed May 27 16:53:25 2015 : ERROR: (12) eap_tls:   SSL says error 2 :
unable to get issuer certificate
Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: >>> TLS 1.0 Alert
[length 0002], fatal unknown_ca
Wed May 27 16:53:25 2015 : ERROR: (12) eap_tls: TLS Alert write:fatal:unknown CA
Wed May 27 16:53:25 2015 : Error: tls: TLS_accept: Error in SSLv3 read
client certificate B
Wed May 27 16:53:25 2015 : ERROR: (12) eap_tls: SSL says:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
Wed May 27 16:53:25 2015 : Error: SSL: SSL_read failed in a system
call (-1), TLS session fails.

This is because the server doesn't know the complete chain. Thus I now
specify ChainedCert.crt in ca_file which contains the Signing CA cert
in PEM format followed by the Root CA cert in PEM format. If I try to
connect now (still with no ca certificate specified in Android) I can
connect.

If I now select the Signing CA cert in Android as ca certificate again
I still get the 'unknown CA' error. If I instead specify the Root CA
cert in Android I get

Wed May 27 17:03:25 2015 : Debug: (26) eap: Peer sent method TLS (13)
Wed May 27 17:03:25 2015 : Debug: (26) eap: EAP TLS (13)
Wed May 27 17:03:25 2015 : Debug: (26) eap: Calling eap_tls to process EAP data
Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: Authenticate
Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: processing EAP-TLS
Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: eaptls_verify returned 7
Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: Done initial handshake
Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: <<< TLS 1.0 Alert
[length 0002], fatal certificate_unknown
Wed May 27 17:03:25 2015 : ERROR: (26) eap_tls: TLS Alert
read:fatal:certificate unknown
Wed May 27 17:03:25 2015 : ERROR: (26) eap_tls: TLS_accept: Failed in
SSLv3 read client certificate A
Wed May 27 17:03:25 2015 : ERROR: (26) eap_tls: SSL says:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown
Wed May 27 17:03:25 2015 : Error: SSL: SSL_read failed inside of TLS
(-1), TLS session fails.
Wed May 27 17:03:25 2015 : Debug: TLS receive handshake failed during operation
Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: eaptls_process returned 4
Wed May 27 17:03:25 2015 : ERROR: (26) eap: Failed continuing EAP TLS
(13) session. EAP sub-module failed

In my raddb/certs directory I have the SigningCA.crt, the RootCA.crt,
radius.crt (specified as certificate_file), radius.key
(private_key_file) and ChainedCA.crt (ca_file).

More information about the Freeradius-Users mailing list