<div dir="ltr">Hi,<div><br></div><div>I am not seeing the XP X.509 OIDs specific for Windows on your certificate. Dont you need them?</div><div>Have a look at certs/xpentensions. </div><div><br></div><div>Regards,</div><div>Rui</div><div>--</div><div><div style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px">Senior Sysadm</div><div style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px">ISCTE-IUL</div><div style="color:rgb(136,136,136);font-family:arial,sans-serif;font-size:13px"><a href="https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434" target="_blank">https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434</a></div></div><div><br></div><div><br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<br>
Message: 2<br>
Date: Mon, 6 Oct 2014 11:28:14 -0700<br>
From: Martin Rowe <<a href="mailto:martin.p.rowe@gmail.com">martin.p.rowe@gmail.com</a>><br>
To: <a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a><br>
Subject: Windows 8.1 Wi-Fi client handshake failure<br>
Message-ID:<br>
<<a href="mailto:CAOAjy5SRi8VDv1FYunFDfJ-UgOW7%2BjmnWNZxDxycA1jA2bXKvg@mail.gmail.com">CAOAjy5SRi8VDv1FYunFDfJ-UgOW7+jmnWNZxDxycA1jA2bXKvg@mail.gmail.com</a>><br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
Hello,<br>
<br>
I'm having trouble getting a Windows 8.1 laptop to connect to my Wi-Fi<br>
which is using only EAP-TLS managed by FreeRADIUS. Before you ask, yes<br>
I have included serverAuth/clientAuth in the certificates and the<br>
configuration is tested to work with Linux and Android clients, so I<br>
don't think there is a problem on the server side. That is as far as<br>
Google has been able to help me, so I'm hoping someone here has had<br>
the same problem and might know a solution.<br>
<br>
The specific issue as far as I can troubleshoot is that the client and<br>
server can't agree on a shared TLS cipher. I'm seeing these lines in<br>
my logs every time I attempt a connection:<br>
<br>
Info: [tls] TLS_accept: before/accept initialization<br>
Info: [tls] <<< TLS 1.0 Handshake [length 0067], ClientHello<br>
Info: [tls] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure<br>
Error: TLS Alert write:fatal:handshake failure<br>
Error: TLS_accept: error in SSLv3 read client hello C<br>
Error: rlm_eap: SSL error error:1408A0C1:lib(20):func(138):reason(193)<br>
Error: SSL: SSL_read failed in a system call (-1), TLS session fails.<br>
<br>
>From [1] it looks like the SSL errors mean:<br>
<br>
lib(20) = ERR_LIB_SSL<br>
func(138) = SSL_F_SSL3_GET_CLIENT_HELLO<br>
reason(193) = SSL_R_NO_SHARED_CIPHER<br>
<br>
[1] <a href="http://comments.gmane.org/gmane.comp.encryption.openssl.user/9654" target="_blank">http://comments.gmane.org/gmane.comp.encryption.openssl.user/9654</a><br>
<br>
But that is as far as I can get. I've tried disabling every option I<br>
can in the configs and many variations on the Windows side, but they<br>
all stop at the same point. There is no limit I have set on which TLS<br>
ciphers can be used (cipher_list in eap{tls{}} is not used, and gave<br>
the same error when set to DEFAULT).<br>
<br>
My only other guess is there is something wrong with the certificates,<br>
but I'm not sure what might be wrong. I have copied both my root and<br>
my radius intermediate CA certificates onto the Windows client along<br>
with the client certificate and key. They are installed and the chain<br>
is valid according to the Windows Credential Manager. The server<br>
ca.pem has both the root and intermediate certificates concatenated<br>
together and that works fine with my other clients. So all I can think<br>
of is that Windows is being extra picky about something. Below is the<br>
sanitized text certificate for the server and client in the hope that<br>
the error is obvious to someone else:<br>
<br>...... </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br><br></blockquote><div> </div></div>
</div></div></div>