On 17/01/2007, at 4:47 PM, Alan DeKok wrote:
James Lever wrote:
Wed Jan 17 08:00:11 2007 : Error: TLS_accept:error in SSLv3 read client certificate A That just means there's no client certificate.
Interesting given I'm only allowing EAP-TLS access to my wireless LAN (or attempting to) Below is the log output when run in full debugging (excerpt) -- rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0be8], Certificate chain-depth=1, error=0 --> User-Name = clientCN --> BUF-Name = :30 2007 : Info: Ready to process requests. --> subject = /C=AU/issuerDN --> issuer = /C=AU/issuerDN --> verify return:1 radius_xlat: 'clientCN' rlm_eap_tls: checking certificate CN (clientCN) with xlat'ed value (clientCN) chain-depth=0, error=0 --> User-Name = clientCN --> BUF-Name = clientCN --> subject = /C=AU/clientDN --> issuer = /C=AU/issuerDN --> verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 -- When I try to do the same with a Certificate from another CA it fails as expected. So why does the EAP-TLS login work even though it complains that no certificate was received? Is the certificate actually validated and hence there really was no error, or is FreeRADIUS or OpenSSL authorising where it should not? cheers, James