Hi,my freinds
I should sum up my
problems as followed.According to RFC 5216 strictly(Fig 1),when the server verified a certificate valid,it should
return a packet with (TLS change_cipher_spec, TLS
finished),and the client is waiting
for the packet then return (EAP-Response).But please see the log(Fig 2),the
server return (TLS Alert
message) packet directly lacking the up step.So i think
the freeradius is not as required by the specifications,is that
right?
Best regards
Fig 1
RFC 5216
Section 2.1
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS Start)
EAP-Response/
EAP-Type=EAP-TLS
(TLS client_hello)->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS
certificate,
[TLS server_key_exchange,]
TLS certificate_request,
TLS server_hello_done)
EAP-Response/
EAP-Type=EAP-TLS
(TLS
certificate,
TLS client_key_exchange,
TLS
certificate_verify,
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS change_cipher_spec,
TLS
finished)
EAP-Response/
EAP-Type=EAP-TLS ->
<- EAP-Request
EAP-Type=EAP-TLS
(TLS Alert
message)
EAP-Response/
EAP-Type=EAP-TLS ->
<- EAP-Failure
(User
Disconnected)
Fig 2
2011-07-09
yuqiang1973
发件人: Alan DeKok-2 [via
FreeRadius]
发送时间: 2011-07-09 00:21:07
收件人: yuqiang
抄送:
主题: Re: Missing SSL Change
Cipher Spec in EAP-TLS withClientCertificate verify failed
Phil Mayers wrote:
> EAP-TLS in FreeRADIUS
WORKS. Stop posting nonsense about RFC compliance.
If the
certificate verification fails, then the server is *supposed*
to stop the
EAP-TLS conversation.
> FreeRADIUS just uses OpenSSL. OpenSSL works.
OpenSSL is compliant with
> the standards.
>
> There is
nothing wrong with FreeRADIUS or OpenSSL.
Everything is working
as expected, and as required by the specifications.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
To
unsubscribe from Missing SSL Change Cipher Spec in EAP-TLS with Client
Certificate verify failed,
click
here.
View this message in context: Re: Re: Missing SSL Change Cipher Spec in EAP-TLS withClientCertificate verify failed
Sent from the FreeRadius - Dev mailing list archive at Nabble.com.