Hi,my freinds
      I should sum up my problems as followed.According to RFC 5216 strictly(Fig 1),when the server verified a certificate valid,it should return a packet with  (TLS change_cipher_spec,  TLS finished),and the client is waiting for the packet then return (EAP-Response).But please see the log(Fig 2),the server return (TLS Alert message)  packet  directly lacking the up step.So i think the freeradius is not as required by the specifications,is that right?
      Best regards
 
                        Fig 1     
 RFC 5216 Section 2.1

   Authenticating Peer     Authenticator
   -------------------     -------------
                           <- EAP-Request/
                           Identity
   EAP-Response/
   Identity (MyID) ->
                           <- EAP-Request/
                           EAP-Type=EAP-TLS
                           (TLS Start)
   EAP-Response/
   EAP-Type=EAP-TLS
   (TLS client_hello)->
                           <- EAP-Request/
                           EAP-Type=EAP-TLS
                           (TLS server_hello,
                             TLS certificate,
                    [TLS server_key_exchange,]
               TLS certificate_request,
                 TLS server_hello_done)

   EAP-Response/
   EAP-Type=EAP-TLS
   (TLS certificate,
    TLS client_key_exchange,
    TLS certificate_verify,
    TLS change_cipher_spec,
    TLS finished) ->

                           
<- EAP-Request/
                           EAP-Type=EAP-TLS
                           (TLS change_cipher_spec,
                           TLS finished)

   EAP-Response/
   EAP-Type=EAP-TLS ->
                           <- EAP-Request
                           EAP-Type=EAP-TLS
                           (TLS Alert message)
   EAP-Response/
   EAP-Type=EAP-TLS ->
                           <- EAP-Failure
                           (User Disconnected)

                  Fig 2

 
2011-07-09

yuqiang1973

发件人: Alan DeKok-2 [via FreeRadius]
发送时间: 2011-07-09  00:21:07
收件人: yuqiang
抄送:
主题: Re: Missing SSL Change Cipher Spec in EAP-TLS withClientCertificate verify failed
Phil Mayers wrote:
> EAP-TLS in FreeRADIUS WORKS. Stop posting nonsense about RFC compliance.

  If the certificate verification fails, then the server is *supposed*
to stop the EAP-TLS conversation.

> FreeRADIUS just uses OpenSSL. OpenSSL works. OpenSSL is compliant with
> the standards.
>
> There is nothing wrong with FreeRADIUS or OpenSSL.

  Everything is working as expected, and as required by the specifications.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html



If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/Missing-SSL-Change-Cipher-Spec-in-EAP-TLS-with-Client-Certificate-verify-failed-tp4565228p4565389.html
To unsubscribe from Missing SSL Change Cipher Spec in EAP-TLS with Client Certificate verify failed, click here.


View this message in context: Re: Re: Missing SSL Change Cipher Spec in EAP-TLS withClientCertificate verify failed
Sent from the FreeRadius - Dev mailing list archive at Nabble.com.