Server certificate confusion
Nick Howitt
nick at howitts.co.uk
Tue Apr 17 10:46:04 CEST 2018
I am having problems with the server certificate. If I create a server
certificate without the XP Extensions, using eapol_test I can get a
validation success, but Windows clients give an 0x80420101 error. If I
redo the certificates with the XP Extensions I see the following in the
certificate:
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://www.example.com/example_ca.crl
But eapol_test ends in failure with the following part way through:
TLS: Certificate verification failed, error 7 (certificate signature
failure) depth 0 for '/C=FR/ST=Radius/O=Example Inc./CN=Example
Certificate Authority/emailAddress=admin at example.org'
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=0 depth=0
subject='/C=FR/ST=Radius/O=Example Inc./CN=Example Certificate
Authority/emailAddress=admin at example.org' err='certificate signature
failure'
EAP: Status notification: remote certificate verification
(param=certificate signature failure)
and "radiusd -X gives:
(29) eap_tls: Done initial handshake
(29) eap_tls: <<< recv TLS 1.2 [length 0002]
(29) eap_tls: ERROR: TLS Alert read:fatal:decrypt error
(29) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client
certificate A
(29) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
(29) eap_tls: ERROR: error:1409441B:SSL
routines:ssl3_read_bytes:tlsv1 alert decrypt error
(29) eap_tls: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl
handshake failure
(29) eap_tls: ERROR: System call (I/O) error (-1)
(29) eap_tls: ERROR: TLS receive handshake failed during operation
(29) eap_tls: ERROR: [eaptls process] = fail
(29) eap: ERROR: Failed continuing EAP TLS (13) session. EAP
sub-module failed
(29) eap: Sending EAP Failure (code 4) ID 5 length 4
Do you know what I'm doing wrong?
TIA, Nick
More information about the Freeradius-Users
mailing list