eap_peap: ERROR: TLS Alert read:fatal:unknown CA

Alan DeKok aland at deployingradius.com
Tue Nov 26 14:22:32 CET 2019

> On Nov 26, 2019, at 7:11 AM, L. Rose <lists at lrose.de> wrote:
> On 11/19/19 9:05 PM, Alan DeKok wrote:
>>   That's just a merge commit.  The actual change is in 8e54822dcaf1.  Which just sets a flag in OpenSSL.
>>   It shouldn't change anything.
> Yes, that's what I thought as well. Despite it's only a flag in OpenSSL, it's the commit where it stops working
>>   What do your certificate chains look like?  Maybe OpenSSL is getting the certificate chains wrong.
>>   Try setting "auto_chain = no" in mods-available/eap.  Be aware though that this means you will need to order the certificates yourself.  i.e. "certificate_file" will have to contain the entire certificate chain, in order.
> I added auto_chain = no in mods-available/eap within the tls { ... } section, but the behavior didn't change. It still only works when the client does not check the certificate. Any further ideas? The certificate chain is attached.

  Maybe set "min_tls_version = 1.2"

  In the end, this is a certificate / OpenSSL issue.  FreeRADIUS just calls OpenSSL for the SSL magic.  If there's an issue with that, it is very rarely the fault of FreeRADIUS.

  Alan DeKok.

More information about the Freeradius-Users mailing list