2015-05-27 16:11 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On May 26, 2015, at 6:27 PM, Ben Humpert <ben@an3k.de> wrote:
Because it's not validating the CA cert in that case.
[...]
Exactly.
[...]
Yes.
Thanks for clarification!
The debug output of the failing Android EAP-TLS attempt is below - in case someone is interested.
Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS Alert read:fatal:unknown CA Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS_accept: Failed in SSLv3 read client certificate A
The client certificate was signed by a CA unknown to FreeRADIUS. You need to put the CA in the raddb/certs directory, and configure FreeRADIUS to read it.
The client certificate is signed by the same CA (Signing CA) that also signed the server certificate. If I specify the Signing CA cert in ca_file and try to connect with Android (with the Signing CA cert specified) I get the 'unknown CA' error. If I disable ca certificate in Android I get Wed May 27 16:53:25 2015 : Debug: (12) eap: Peer sent method TLS (13) Wed May 27 16:53:25 2015 : Debug: (12) eap: EAP TLS (13) Wed May 27 16:53:25 2015 : Debug: (12) eap: Calling eap_tls to process EAP data Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: Authenticate Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: processing EAP-TLS Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: eaptls_verify returned 7 Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: Done initial handshake Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: <<< TLS 1.0 Handshake [length 04ac], Certificate Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: TLS Verify adding attributes Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: &request:TLS-Cert-Serial := 'b24773ef84a841ea922f418cb40c6a24' Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: &request:TLS-Cert-Expiration := '200521225429Z' Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: &request:TLS-Cert-Subject := '/C=DE/ST=DE-BY/O=Example Company/CN=Signing CA' Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: &request:TLS-Cert-Issuer := '/C=DE/O=Example Company/CN=Root CA' Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: &request:TLS-Cert-Common-Name := 'Signing CA' Wed May 27 16:53:25 2015 : ERROR: (12) eap_tls: SSL says error 2 : unable to get issuer certificate Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca Wed May 27 16:53:25 2015 : ERROR: (12) eap_tls: TLS Alert write:fatal:unknown CA Wed May 27 16:53:25 2015 : Error: tls: TLS_accept: Error in SSLv3 read client certificate B Wed May 27 16:53:25 2015 : ERROR: (12) eap_tls: SSL says: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Wed May 27 16:53:25 2015 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. This is because the server doesn't know the complete chain. Thus I now specify ChainedCert.crt in ca_file which contains the Signing CA cert in PEM format followed by the Root CA cert in PEM format. If I try to connect now (still with no ca certificate specified in Android) I can connect. If I now select the Signing CA cert in Android as ca certificate again I still get the 'unknown CA' error. If I instead specify the Root CA cert in Android I get Wed May 27 17:03:25 2015 : Debug: (26) eap: Peer sent method TLS (13) Wed May 27 17:03:25 2015 : Debug: (26) eap: EAP TLS (13) Wed May 27 17:03:25 2015 : Debug: (26) eap: Calling eap_tls to process EAP data Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: Authenticate Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: processing EAP-TLS Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: eaptls_verify returned 7 Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: Done initial handshake Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: <<< TLS 1.0 Alert [length 0002], fatal certificate_unknown Wed May 27 17:03:25 2015 : ERROR: (26) eap_tls: TLS Alert read:fatal:certificate unknown Wed May 27 17:03:25 2015 : ERROR: (26) eap_tls: TLS_accept: Failed in SSLv3 read client certificate A Wed May 27 17:03:25 2015 : ERROR: (26) eap_tls: SSL says: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown Wed May 27 17:03:25 2015 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. Wed May 27 17:03:25 2015 : Debug: TLS receive handshake failed during operation Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: eaptls_process returned 4 Wed May 27 17:03:25 2015 : ERROR: (26) eap: Failed continuing EAP TLS (13) session. EAP sub-module failed In my raddb/certs directory I have the SigningCA.crt, the RootCA.crt, radius.crt (specified as certificate_file), radius.key (private_key_file) and ChainedCA.crt (ca_file).