Missing SSL Change Cipher Spec in EAP-TLS with Client Certificate verify failed
Oh,I am sorry. But the problem i meet just like the event descibed in mailinglist here. I downloaded the new version of freeradius(2.1.10) and run it on LINUX.When the certificate is expired or invalid,I found the data sent by server were missed. The log is as followed.The exchange between client and server is not conformed to RFC5216 described as italic text. RFC 5216 Section 2.1 Authenticating Peer Authenticator ------------------- ------------- <- EAP-Request/ Identity EAP-Response/ Identity (MyID) -> <- EAP-Request/ EAP-Type=EAP-TLS (TLS Start) EAP-Response/ EAP-Type=EAP-TLS (TLS client_hello)-> <- EAP-Request/ EAP-Type=EAP-TLS (TLS server_hello, TLS certificate, [TLS server_key_exchange,] TLS certificate_request, TLS server_hello_done) EAP-Response/ EAP-Type=EAP-TLS (TLS certificate, TLS client_key_exchange, TLS certificate_verify, TLS change_cipher_spec, TLS finished) -> <- EAP-Request/ EAP-Type=EAP-TLS (TLS change_cipher_spec, TLS finished) EAP-Response/ EAP-Type=EAP-TLS -> /<- EAP-Request EAP-Type=EAP-TLS (TLS Alert message) / EAP-Response/ EAP-Type=EAP-TLS -> <- EAP-Failure (User Disconnected) the log: +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 225 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 0b8c], Certificate [tls] chain-depth=2, [tls] error=0 [tls] --> User-Name = test [tls] --> BUF-Name = ZJRoot,2.5.4.1 [tls] --> subject = /C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00R\x00o\x00o\x00t [tls] --> issuer = /C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00R\x00o\x00o\x00t [tls] --> verify return:1 [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = test [tls] --> BUF-Name = ZJCA,2.5.4.1 [tls] --> subject = /C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00C\x00A [tls] --> issuer = /C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00R\x00o\x00o\x00t [tls] --> verify return:1 --> verify error:num=10:certificate has expired [tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired TLS Alert write:fatal:certificate expired TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject -- View this message in context: http://freeradius.1045715.n5.nabble.com/Missing-SSL-Change-Cipher-Spec-in-EA... Sent from the FreeRadius - Dev mailing list archive at Nabble.com.
On 08/07/11 16:43, yuqiang wrote:
Oh,I am sorry. But the problem i meet just like the event descibed in mailinglist here. I downloaded the new version of freeradius(2.1.10) and run
Please stop sending your emails multiple times. It's annoying and unnecessary.
it on LINUX.When the certificate is expired or invalid,I found the data sent by server were missed. The log is as followed.The exchange between client and server is not conformed to RFC5216 described as italic text.
So what? Why is this a problem?
The problem is missing SSL Change Cipher Spec in EAP-TLS with ClientCertificate verify failed.The data not return to client. <- EAP-Request/ EAP-Type=EAP-TLS (TLS change_cipher_spec, TLS finished) 2011-07-09 yuqiang1973 发件人: Phil Mayers [via FreeRadius] 发送时间: 2011-07-09 00:02:52 收件人: yuqiang 抄送: 主题: Re: Missing SSL Change Cipher Spec in EAP-TLS with ClientCertificate verify failed On 08/07/11 16:43, yuqiang wrote:
Oh,I am sorry. But the problem i meet just like the event descibed in mailinglist here. I downloaded the new version of freeradius(2.1.10) and run
Please stop sending your emails multiple times. It's annoying and unnecessary.
it on LINUX.When the certificate is expired or invalid,I found the data sent by server were missed. The log is as followed.The exchange between client and server is not conformed to RFC5216 described as italic text.
So what? Why is this a problem? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/Missing-SSL-Change-Cipher-Spec-in-EA... To unsubscribe from Missing SSL Change Cipher Spec in EAP-TLS with Client Certificate verify failed, click here. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Missing-SSL-Change-Cipher-Spec-in-EA... Sent from the FreeRadius - Dev mailing list archive at Nabble.com.
On 08/07/11 17:07, yuqiang wrote:
The problem is missing SSL Change Cipher Spec in EAP-TLS with ClientCertificate verify failed.The data not return to client. <- EAP-Request/ EAP-Type=EAP-TLS (TLS change_cipher_spec, TLS finished)
There is no change cipher spec because the TLS negotiation FAILS!!! Read what you posted: --> verify error:num=10:certificate has expired [tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired TLS Alert write:fatal:certificate expired TLS_accept: error in SSLv3 read client certificate B EAP-TLS in FreeRADIUS WORKS. Stop posting nonsense about RFC compliance. FreeRADIUS just uses OpenSSL. OpenSSL works. OpenSSL is compliant with the standards. There is nothing wrong with FreeRADIUS or OpenSSL.
Phil Mayers wrote:
EAP-TLS in FreeRADIUS WORKS. Stop posting nonsense about RFC compliance.
If the certificate verification fails, then the server is *supposed* to stop the EAP-TLS conversation.
FreeRADIUS just uses OpenSSL. OpenSSL works. OpenSSL is compliant with the standards.
There is nothing wrong with FreeRADIUS or OpenSSL.
Everything is working as expected, and as required by the specifications. Alan DeKok.
I think the packets described in red rect should be communicate between client and server, when the certificate verification failed. 2011-07-09 yuqiang1973 发件人: Alan DeKok-2 [via FreeRadius] 发送时间: 2011-07-09 00:21:07 收件人: yuqiang 抄送: 主题: Re: Missing SSL Change Cipher Spec in EAP-TLS withClientCertificate verify failed Phil Mayers wrote:
EAP-TLS in FreeRADIUS WORKS. Stop posting nonsense about RFC compliance.
If the certificate verification fails, then the server is *supposed* to stop the EAP-TLS conversation.
FreeRADIUS just uses OpenSSL. OpenSSL works. OpenSSL is compliant with the standards.
There is nothing wrong with FreeRADIUS or OpenSSL.
Everything is working as expected, and as required by the specifications. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/Missing-SSL-Change-Cipher-Spec-in-EA... To unsubscribe from Missing SSL Change Cipher Spec in EAP-TLS with Client Certificate verify failed, click here. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Missing-SSL-Change-Cipher-Spec-in-EA... Sent from the FreeRadius - Dev mailing list archive at Nabble.com.
The fact is that when the certificate i used is valid,the process is conformed to RFC3216. But if certificate is invalid the client is waiting for server to return (TLS change_cipher_spec, TLS finished) . 2011-07-09 yuqiang1973 发件人: Phil Mayers [via FreeRadius] 发送时间: 2011-07-09 00:14:52 收件人: yuqiang 抄送: 主题: Re: Missing SSL Change Cipher Spec in EAP-TLS withClientCertificate verify failed On 08/07/11 17:07, yuqiang wrote:
The problem is missing SSL Change Cipher Spec in EAP-TLS with ClientCertificate verify failed.The data not return to client. <- EAP-Request/ EAP-Type=EAP-TLS (TLS change_cipher_spec, TLS finished)
There is no change cipher spec because the TLS negotiation FAILS!!! Read what you posted: --> verify error:num=10:certificate has expired [tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired TLS Alert write:fatal:certificate expired TLS_accept: error in SSLv3 read client certificate B EAP-TLS in FreeRADIUS WORKS. Stop posting nonsense about RFC compliance. FreeRADIUS just uses OpenSSL. OpenSSL works. OpenSSL is compliant with the standards. There is nothing wrong with FreeRADIUS or OpenSSL. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/Missing-SSL-Change-Cipher-Spec-in-EA... To unsubscribe from Missing SSL Change Cipher Spec in EAP-TLS with Client Certificate verify failed, click here. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Missing-SSL-Change-Cipher-Spec-in-EA... Sent from the FreeRadius - Dev mailing list archive at Nabble.com.
participants (3)
-
Alan DeKok -
Phil Mayers -
yuqiang