Oh,I am sorry. But the problem i meet just like the event descibed in mailinglist here. I downloaded the new version of freeradius(2.1.10) and run it on LINUX.When the certificate is expired or invalid,I found the data sent by server were missed. The log is followed. +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 225 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 0b8c], Certificate [tls] chain-depth=2, [tls] error=0 [tls] --> User-Name = test [tls] --> BUF-Name = ZJRoot,2.5.4.1 [tls] --> subject = /C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00R\x00o\x00o\x00t [tls] --> issuer = /C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00R\x00o\x00o\x00t [tls] --> verify return:1 [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = test [tls] --> BUF-Name = ZJCA,2.5.4.1 [tls] --> subject = /C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00C\x00A [tls] --> issuer = /C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00R\x00o\x00o\x00t [tls] --> verify return:1 --> verify error:num=10:certificate has expired [tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired TLS Alert write:fatal:certificate expired TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject t he event is not conform to the RFC5216 as the italic text: Authenticating Peer Authenticator ------------------- ------------- <- EAP-Request/ Identity EAP-Response/ Identity (MyID) -> <- EAP-Request/ EAP-Type=EAP-TLS (TLS Start) EAP-Response/ EAP-Type=EAP-TLS (TLS client_hello)-> <- EAP-Request/ EAP-Type=EAP-TLS (TLS server_hello, TLS certificate, [TLS server_key_exchange,] TLS certificate_request, TLS server_hello_done) EAP-Response/ EAP-Type=EAP-TLS (TLS certificate, TLS client_key_exchange, TLS certificate_verify, TLS change_cipher_spec, TLS finished) -> <- EAP-Request/ EAP-Type=EAP-TLS (TLS change_cipher_spec, TLS finished) EAP-Response/ EAP-Type=EAP-TLS -> <- EAP-Request EAP-Type=EAP-TLS (TLS Alert message) EAP-Response/ EAP-Type=EAP-TLS -> <- EAP-Failure (User Disconnected)

View this message in context: Re: [PATCH] Fix broken EAP-TLS (bug introduced 2008/08/24 by b51a3a82)
Sent from the FreeRadius - Dev mailing list archive at Nabble.com.