Troubleshooting "TLS failed during operation" with EAP-TLS
aland at deployingradius.com
Fri Jun 5 21:35:43 CEST 2020
On Jun 5, 2020, at 1:42 PM, Michael Parks <mparks at tkware.info> wrote:
> Let's see..
> (5) eap_peap: Continuing EAP-TLS
> (5) eap_peap: Peer indicated complete TLS record size will be 7 bytes
> (5) eap_peap: Got complete TLS record (7 bytes)
> (5) eap_peap: [eaptls verify] = length included
> (5) eap_peap: HERE 700
> (5) eap_peap: HERE 702
> (5) eap_peap: <<< recv TLS 1.2 [length 0002]
> (5) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
> (5) eap_peap: HERE 723
> (5) eap_peap: TLS - In Handshake Phase
> (5) eap_peap: TLS - Application data.
> (5) eap_peap: HERE 842
> (5) eap_peap: ERROR: TLS failed during operation
> (5) eap_peap: ERROR: [eaptls process] = fail
> (5) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
> 842 being above the function's final "return 1".
Weird. So it looks like now the error is happening in eaptls_process(). It's not clear why. In 99% of the code paths, it prints a descriptive error messages. The other code paths are memory allocation failures.
> I got curious and hooked it up to gdb and stepped through to the failure point. The "TLS failed during operation" error is coming out of modules/rlm_eap/libeap/eap_tls.c:756. The contents of tls_session->dirty_out at the time were:
Random TLS stuff.
> ..which, given prior experience with MikroTik, leads me to believe that this router is talking nonsense to RADIUS.
No, it's just TLS stuff. It can be ignored.
So the question now is why is eaptls_process() failing. You can use the same debug tricks to watch that function.
More information about the Freeradius-Users