<div>Hi All</div>
<div> </div>
<div>I am attempting to authenticate an EAP-TLS using eapol_test tool against FreeRADIUS Version <a href="http://2.0.3.">2.0.3.</a></div>
<div>From last two days I am getting stumped by certificate issues. Currently I have the following error in my</div>
<div>Freeradius log that seems to be the problem.</div>
<div> </div>
<div> </div>
<div>Wed May 21 19:31:19 2008 : Debug: rlm_eap_tls: Done initial handshake<br>Wed May 21 19:31:19 2008 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 038d], Certificate <br>Wed May 21 19:31:19 2008 : <strong><u>Error: --> verify error:num=20:unable to get local issuer certificate</u></strong> <br>
Wed May 21 19:31:19 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca <br>Wed May 21 19:31:19 2008 : Error: TLS Alert write:fatal:unknown CA <br>Wed May 21 19:31:19 2008 : Error: TLS_accept:error in SSLv3 read client certificate B <br>
Wed May 21 19:31:19 2008 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned<br>Wed May 21 19:31:19 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.<br>
Wed May 21 19:31:19 2008 : Debug: eaptls_process returned 13 </div>
<div> </div>
<div>From searching around the net I found that one issue could be that my SSL does not understand</div>
<div>that server.pem is a trusted CA. To make that happen I created hashes using the following command,</div>
<div> </div>
<div><em>ln -s client.pem `openssl x509 -hash -noout 5~-in client.pem`.0</em></div>
<div> </div>
<div>for ca.pem/server.pem and client.pem. I then pasted the hashes and .pem files into /usr/share/ssl/certs </div>
<div>folder too (out of desperation :) ). After this if I ran the command "openssl verify *.pem" in .../raddb/certs</div>
<div>folder, it would return OK for all pem files. IMO this is the best to test that all certificates are in order.</div>
<div>I also used the command "openssl verify -CApath . *.pem" (picked it up from Makefile) and it returned OK too.</div>
<div> </div>
<div>I must add here that my setup is totally as per the docs/config file explanations. The radiusd.conf is configured to</div>
<div>use EAP as per the default config, and the certs are made by running the make command in raddb/certs folder.</div>
<div>I commented out bootstrap for my exploration. I ran "make client.pem" to create client certificates.</div>
<div> </div>
<div>The supplicant client uses following configuration file:</div>
<div> </div>
<div>network={<br> ssid="1x-test"<br> key_mgmt=WPA-EAP<br> eap=TLS<br> identity="<a href="mailto:user@example.com">user@example.com</a>"<br> ca_cert="/usr/local/etc/raddb/certs/ca.pem"<br>
client_cert="<a>/usr/local/etc/raddb/certs/user@example.com.pem</a>"<br> private_key="/usr/local/etc/raddb/certs/client.key"<br> private_key_passwd="whatever"<br> eapol_flags=3<br>
}</div>
<div> </div>
<div> </div>
<div>Since the logs are big enough to be a torture for people reading in digest mode, I have put them at</div>
<div><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);"><a href="http://naunidh.googlepages.com/logs">http://naunidh.googlepages.com/logs</a></span></div>
<div><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);"></span> </div>
<div><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);">It has output of radiusd -XXX followed by logs of eapol_test tool.</span></div>
<div><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);"></span> </div>
<div><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);">My OpenSSL version is 9.7a (supported by Freeradius), My next step would be to upgrade this but it does not</span></div>
<div><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);">look like an OpenSSL issue, </span><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);">Upgrading this would be a pain at the moment as lot of people are dependent on the</span></div>
<div><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);">setup, but this is the only </span><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);">recourse left from my side.</span></div>
<div><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);"></span> </div>
<div><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);">Any help would be greatly appreciated.</span></div>
<div><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);">Sorry for the long mail, but I could not shorten it any more without missing something important.</span></div>
<div><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);"></span> </div>
<div><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);">Thanks All</span></div>
<div><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);"></span> </div>
<div><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);">-</span></div>
<div><span class="tr_pseudo-link" onclick="return executeCommand('openWindowAfterCommit', TOP_urlArray['live']);">Naunidh</span></div>
<div> </div>