RADSEC testing with FR 3.1
Alex Sharaz
alex.sharaz at york.ac.uk
Fri Dec 9 12:10:36 CET 2016
o.k back to 3.0
[Sorry Alan B, finger trouble sent the partial message before]
I'm using a local CA authority with appropriate root and intermediate certs
Root Cert is
*Certificate Information:**Common Name:* University of York Root CA I
*Organization:* University of York*Organization Unit:* IT Services
*Locality:* York*State:* North Yorkshire*Country:* GB*Valid From:*
September 13, 2015*Valid To:* October 13, 2035*Issuer:* University of York
Root CA I, University of York*Serial Number:* .....
Intermediate Cert is
*Certificate Information:**Common Name:* University of York Intermediate CA
I*Organization:* University of York*Organization Unit:* IT Services
*Locality:* York*State:* North Yorkshire*Country:* GB*Valid From:*
September 13, 2015*Valid To:* October 13, 2035*Issuer:* University of York
Root CA I, University of York*Serial Number:* ....
and the cert is
*Certificate Information:**Common Name:* radsec.york.ac.uk*Organization:*
University of York*Organization Unit:* IT Services*Locality:* York*State:*
North Yorkshire*Country:* GB*Valid From:* November 10, 2015*Valid To:*
December 6, 2017*Issuer:* University of York Intermediate CA I, University
of York*Serial Number:* .....
Sending server
In /etc/freeradius/sites-enabled/tls I have
home_server prodn2.sharaz.info {
ipv6addr = 2a03:b0c0:1:a1::a9f:8001
port = 2083
type = auth
secret = radsec
proto = tcp
status_check = none
tls {
certdir = ${confdir}/certs/UoY/radsec-certs
private_key_password = "< secret key>"
private_key_file = ${certdir}/radsecyorkacuk.key
# If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
certificate_file = ${certdir}/certAndCAs.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate
# ca_file = .........
dh_file = ${confdir}/certs/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
cipher_list = "DEFAULT"
}
}
On the receiving server in /etc/freeradius/sites-enabled/tls I've got
listen {
ipv6addr = *
port = 2083
#
# TCP and TLS sockets can accept Access-Request and
# Accounting-Request on the same socket.
#
# auth = only Access-Request
# acct = only Accounting-Request
# auth+acct = both
#
type = auth+acct
# For now, only TCP transport is allowed.
proto = tcp
# Send packets to the default virtual server
virtual_server = eduroam
clients = radsec
.....
tls {
private_key_password = "A key"
private_key_file =
${certdir}/UoY/radsec-certs/radsecyorkacuk.key
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
#
# If ca_file (below) is not used, then the
# certificate_file below MUST include not
# only the server certificate, but ALSO all
# of the CA certificates used to sign the
# server certificate.
# File contents = cp cert.pem certAndCAs.peml;cat
radsecIntermediateCA.pem>>certAndCAs.pem;
# cat radsecRootCA>>certAndCAs.pem
certificate_file =
${certdir}/UoY/radsec-certs/certAndCAs.pem
# Trusted Root CA list
#
# ALL of the CA's in this list will be trusted
# to issue client certificates for authentication.
#
# In general, you should use self-signed
# certificates for 802.1x (EAP) authentication.
# In that case, this CA file should contain
# *one* CA certificate.
#
# This parameter is used only for EAP-TLS,
# when you issue client certificates. If you do
# not use client certificates, and you do not want
# to permit EAP-TLS authentication, then delete
# this configuration item.
#ca_file = ${cadir}/UoY/radsec-certs/radsecRoot.pem
dh_file = ${certdir}/dh
fragment_size = 8192
cipher_list = "DEFAULT"
cache {
lifetime = 24
}
require_client_cert = yes
}
}
clients radsec {
client dn0.sharaz.info {
ipv6addr = 2a01:348:6:59d::2
proto = tls
secret = radsec
}
.....
When I run eapol_test , on the receiving server I get
Fri Dec 9 10:49:55 2016 : Debug: ... new connection request on TCP socket
Fri Dec 9 10:49:55 2016 : Debug: Listening on auth+acct from client
(2a01:348:6:59d::2, 60616) -> (::, 2083, virtual-server=eduroam)
Fri Dec 9 10:49:55 2016 : Debug: Waking up in 0.4 seconds.
Fri Dec 9 10:49:55 2016 : Debug: (0) Initiating new EAP-TLS session
Fri Dec 9 10:49:55 2016 : Debug: (0) Setting verify mode to require
certificate from client
Fri Dec 9 10:49:55 2016 : Debug: (0) Reading from socket 18
READ FROM SSL 291
00: 16 03 01 01 1e 01 00 01 1a 03 03 28 e9 b0 c4 4e
.....
Fri Dec 9 10:49:55 2016 : Debug: (0) (other): before/accept initialization
Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: before/accept
initialization
Fri Dec 9 10:49:55 2016 : Debug: Ignoring cbtls_msg call with pseudo
content type 256, version 0
Fri Dec 9 10:49:55 2016 : Debug: (0) <<< recv TLS 1.2 [length 011e]
Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: unknown state
Fri Dec 9 10:49:55 2016 : Debug: Ignoring cbtls_msg call with pseudo
content type 256, version 0
Fri Dec 9 10:49:55 2016 : Debug: (0) >>> send TLS 1.2 [length 003e]
Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: unknown state
Fri Dec 9 10:49:55 2016 : Debug: Ignoring cbtls_msg call with pseudo
content type 256, version 0
Fri Dec 9 10:49:55 2016 : Debug: (0) >>> send TLS 1.2 [length 0fb3]
Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: unknown state
Fri Dec 9 10:49:55 2016 : Debug: Ignoring cbtls_msg call with pseudo
content type 256, version 0
Fri Dec 9 10:49:55 2016 : Debug: (0) >>> send TLS 1.2 [length 014d]
Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: unknown state
Fri Dec 9 10:49:55 2016 : Debug: Ignoring cbtls_msg call with pseudo
content type 256, version 0
Fri Dec 9 10:49:55 2016 : Debug: (0) >>> send TLS 1.2 [length 002e]
Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: unknown state
Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: unknown state
Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: Need to read more data:
unknown state
Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: Need to read more data:
unknown state
Fri Dec 9 10:49:55 2016 : Debug: (0) In SSL Handshake Phase
Fri Dec 9 10:49:55 2016 : Debug: (0) In SSL Accept mode
Fri Dec 9 10:49:55 2016 : Debug: (0) Writing to socket 18
Fri Dec 9 10:49:55 2016 : Debug: Waking up in 0.4 seconds.
READ FROM SSL 7
00: 15 03 03 00 02 02 30
Fri Dec 9 10:49:55 2016 : Debug: Ignoring cbtls_msg call with pseudo
content type 256, version 0
Fri Dec 9 10:49:55 2016 : Debug: (0) <<< recv TLS 1.2 [length 0002]
Fri Dec 9 10:49:55 2016 : ERROR: (0) TLS Alert read:fatal:unknown CA
Fri Dec 9 10:49:55 2016 : ERROR: (0) TLS_accept: Failed in unknown state
Fri Dec 9 10:49:55 2016 : ERROR: (0) Failed in __FUNCTION__ (SSL_read)
Fri Dec 9 10:49:55 2016 : ERROR: (0) s3_pkt.c[1472]:error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca
Fri Dec 9 10:49:55 2016 : ERROR: (0) s3_pkt.c[1210]:error:140940E5:SSL
routines:ssl3_read_bytes:ssl handshake failure
Fri Dec 9 10:49:55 2016 : ERROR: (0) System call (I/O) error (-1)
Fri Dec 9 10:49:55 2016 : Debug: (0) FAILED in TLS handshake receive
Fri Dec 9 10:49:55 2016 : Debug: Closing TLS socket from client port 60616
Fri Dec 9 10:49:55 2016 : Debug: Client has closed connection
Fri Dec 9 10:49:55 2016 : Info: ... shutting down socket auth+acct from
client (2a01:348:6:59d::2, 60616) -> (::, 2083, virtual-server=eduroam)
Fri Dec 9 10:49:55 2016 : Debug: Waking up in 2.9 seconds.
On the sending server it says
Fri Dec 9 10:49:55 2016 : Debug: (4) proxy: Trying to allocate ID (0/2)
Fri Dec 9 10:49:55 2016 : Debug: (4) proxy: Trying to open a new listener
to the home server
Fri Dec 9 10:49:55 2016 : Debug: Trying SSL to port 2083
Fri Dec 9 10:49:55 2016 : Debug: Requiring Server certificate
Fri Dec 9 10:49:55 2016 : Debug: (0) (other): before/connect initialization
Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_connect: before/connect
initialization
Fri Dec 9 10:49:55 2016 : Debug: (0) >>> send TLS 1.2 [length 011e]
Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_connect: unknown state
Fri Dec 9 10:49:55 2016 : Debug: (0) <<< recv TLS 1.2 [length 003e]
Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_connect: SSLv3 read server hello A
Fri Dec 9 10:49:55 2016 : Debug: (0) <<< recv TLS 1.2 [length 0fb3]
Fri Dec 9 10:49:55 2016 : Debug: (0) Creating attributes from certificate
OIDs
Fri Dec 9 10:49:55 2016 : ERROR: (0) SSL says error 19 : self signed
certificate in certificate chain
Fri Dec 9 10:49:55 2016 : Debug: (0) >>> send TLS 1.2 [length 0002]
Fri Dec 9 10:49:55 2016 : ERROR: (0) TLS Alert write:fatal:unknown CA
Fri Dec 9 10:49:55 2016 : Error: tls: TLS_connect: Error in SSLv3 read
server certificate B
Fri Dec 9 10:49:55 2016 : Error: tls: TLS_connect: Error in SSLv3 read
server certificate B
Fri Dec 9 10:49:55 2016 : Error: tls: Failed in __FUNCTION__
(SSL_connect): s3_clnt.c[1186]:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Dec 9 10:49:55 2016 : Error: tls: System call (I/O) error (-1)
Fri Dec 9 10:49:55 2016 : Error: Failed starting SSL to new proxy socket
'proxy (::, 0) -> home_server (2a03:b0c0:1:a1::a9f:8001, 2083)'
Fri Dec 9 10:49:55 2016 : Proxy: (4) Failed to insert request into the
proxy list
More information about the Freeradius-Users
mailing list