Hi,my freinds I should sum up my problems as followed.According to RFC 5216 strictly(Fig 1),when the server verified a certificate valid,it should return a packet with (TLS change_cipher_spec, TLS finished),and the client is waiting for the packet then return (EAP-Response).But please see the log(Fig 2),the server return (TLS Alert message) packet directly lacking the up step.So i think the freeradius is not as required by the specifications,is that right? Best regards Fig 1 RFC 5216 Section 2.1 Authenticating Peer Authenticator ------------------- ------------- <- EAP-Request/ Identity EAP-Response/ Identity (MyID) -> <- EAP-Request/ EAP-Type=EAP-TLS (TLS Start) EAP-Response/ EAP-Type=EAP-TLS (TLS client_hello)-> <- EAP-Request/ EAP-Type=EAP-TLS (TLS server_hello, TLS certificate, [TLS server_key_exchange,] TLS certificate_request, TLS server_hello_done) EAP-Response/ EAP-Type=EAP-TLS (TLS certificate, TLS client_key_exchange, TLS certificate_verify, TLS change_cipher_spec, TLS finished) -> <- EAP-Request/ EAP-Type=EAP-TLS (TLS change_cipher_spec, TLS finished) EAP-Response/ EAP-Type=EAP-TLS -> <- EAP-Request EAP-Type=EAP-TLS (TLS Alert message) EAP-Response/ EAP-Type=EAP-TLS -> <- EAP-Failure (User Disconnected) Fig 2 2011-07-09 yuqiang1973 发件人: Alan DeKok-2 [via FreeRadius] 发送时间: 2011-07-09 00:21:07 收件人: yuqiang 抄送: 主题: Re: Missing SSL Change Cipher Spec in EAP-TLS withClientCertificate verify failed Phil Mayers wrote:
EAP-TLS in FreeRADIUS WORKS. Stop posting nonsense about RFC compliance.
If the certificate verification fails, then the server is *supposed* to stop the EAP-TLS conversation.
FreeRADIUS just uses OpenSSL. OpenSSL works. OpenSSL is compliant with the standards.
There is nothing wrong with FreeRADIUS or OpenSSL.
Everything is working as expected, and as required by the specifications. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/Missing-SSL-Change-Cipher-Spec-in-EA... To unsubscribe from Missing SSL Change Cipher Spec in EAP-TLS with Client Certificate verify failed, click here. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Missing-TLS-Change-Cipher-Spec-and-T... Sent from the FreeRadius - Dev mailing list archive at Nabble.com.