Hi, I generated .csr using openssl command and used this csr to generate CA signed certificate. I installed this CA signed certificate under trusted root of server. But when I run freeradius in debug mode, I get the following error: (0) <<< TLS 1.0 Handshake [length 0208], Certificate --> verify error:num=20:unable to get local issuer certificate (0) ERROR: SSL says error 20 : unable to get local issuer certificate (0) >>> TLS 1.0 Alert [length 0002], fatal unknown_ca (0) ERROR: SSL says: TLS Alert write:fatal:unknown CA (0) ERROR: SSL says: TLS_accept: error in SSLv3 read client certificate B (0) ERROR: SSL says: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. (0) FAILED in TLS handshake receive Closing TLS socket from client port 1645 Client has closed connection ... shutting down socket auth from client (10.253.6.11, 1645) -> (*, 2083, virtual-server=default) Debug says "fatal unknown_ca". I think I should be adding CA information somewhere in the server. Could anybody please guide me on the same. I would like to know where am I going wrong. Thanks, Kavya On Thu, Oct 16, 2014 at 8:26 AM, KAVYA PRABHAKAR < kavyamelinmaneprabhakar@gmail.com> wrote:
Hi,
Thanks for the help. I am able to open 2083 tcp port. I have a RADIUS client which sends request to freeradius server. Before sending request to server, it creates a TCP\TLS connection with it. TCP connection is getting established and during TLS handhsake, server throws following error:
(0) <<< TLS 1.0 Handshake [length 025c], Certificate --> verify error:num=18:self signed certificate (0) ERROR: SSL says error 18 : self signed certificate (0) >>> TLS 1.0 Alert [length 0002], fatal unknown_ca (0) ERROR: SSL says: TLS Alert write:fatal:unknown CA (0) ERROR: SSL says: TLS_accept: error in SSLv3 read client certificate B (0) ERROR: SSL says: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. (0) FAILED in TLS handshake receive Closing TLS socket from client port 1645 Client has closed connection ... shutting down socket auth from client (10.253.6.11, 1645) -> (*, 2083, virtual-server=default) Waking up in 2.9 seconds. ... cleaning up socket auth from client (10.253.6.11, 1645) -> (*, 2083, virtual-server=default)
Looking at the debugs I think server expects client certificate information as well. Does it work on MTLS? (mutual TLS). I am using self signed certificate generated by ubuntu(where server is installed) and using the same in tls file. The same certificate is put under trusted root in client as well.
Thanks, Kavya