<div dir="ltr">Thanks for your replies. <div>Not sure, maybe the problem is importing the client cert file via keytool. Because I create the Radius Client in code and send authentication request. I will look for how to set client cert file in my code.</div>
<div><br></div><div><br></div><div>Thanks & Regards,</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Nov 27, 2013 at 5:47 PM, John Dennis <span dir="ltr"><<a href="mailto:jdennis@redhat.com" target="_blank">jdennis@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 11/27/2013 10:15 AM, Esma Yalcinkaya wrote:<br>
> My application runs on glassfish server, so I import the cert files to<br>
> keystore. Also tried to import cert files to cacerts<br>
> directory(/java/jdk1.6.0_34/jre/lib/security/cacerts) but it did not work.<br>
><br>
> I import the server.crt too, and try to authenticate now, but nothing<br>
> has changed.<br>
><br>
> I am continuing to debug the logs(server logs, freeradius logs etc).<br>
><br>
> Let me ask a question, I am new at freeradius. Although this error<br>
> occurs for SSLv3 read client certificate B, there is no error occurance<br>
> for certificate A like below.<br>
><br>
> [tls] TLS_accept: SSLv3 write certificate request A<br>
> [tls] TLS_accept: SSLv3 flush data<br>
> [tls] TLS_accept: Need to read more data: SSLv3 read client<br>
> certificate A<br>
><br>
> I did not unterstand this log, what does it mean "need to read more data"?<br>
<br>
</div>It means exactly what Alan said below. Its waiting for the peer to send<br>
a client certificate.<br>
<br>
TLS works by performing a number of exchanges in what is called<br>
"handshaking". The handshake exchanges negotiate the type of TLS<br>
connection which is going to be established. Certificate exchange is<br>
part of the handshake process. A server certificate is always sent to<br>
the client so the client can validate the server. This is known as<br>
server only validation, the server does not care who the client is. But<br>
TLS is also capable of mutual authentication where the client must<br>
authenticate to the server as well so the server knows who the client<br>
is. This is the basis of eap-tls, it's using the client TLS validation<br>
as an authentication of the client. During the TLS handshake the server<br>
will send a request to the client saying "please send me your<br>
certificate". That's what is happening here, the server has made a<br>
request for a client cert and now it's waiting to read that response<br>
from the client. If that response does not arrive then this is not a<br>
FreeRADIUS issue, it's a problem with your eap-tls client.<br>
<div class="im HOEnZb"><br>
<br>
> > TLS_accept: error in SSLv3 read client certificate B<br>
> > rlm_eap: SSL error error:140890C7:SSL<br>
> > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate<br>
><br>
> The end user system isn't sending over a client certificate.<br>
<br>
<br>
</div><span class="HOEnZb"><font color="#888888">--<br>
John<br>
</font></span><div class="HOEnZb"><div class="h5">-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br></div>