What kind of certificates do you use? RSA or ECDSA? If these are simple RSA certificates try using a simple tls config. private_key_password = “REDACTED” private_key_file = "server.key" certificate_file = "server.crt" ca_file = "server.crt" dh_file = "/Library/Server/radius/raddb/certs/dh" ca_path = "/Library/Server/radius/raddb/certs" cipher_list = "DEFAULT" ecdh_curve = "prime256v1" these are the only configuration options in the default FR 3.0.7 eap tls config and it works well for me (RSA with sha256). Also make you you have the correct "Extended Key Usage" OIDs set for each the server as well as the client cert. If this doesn't help reupload / install the correct certificates on your client and as well as your radius server. Don't think "this is the correct cert", just replace it with the definitely correct one from your CA. SSL can't decrypt thus the private key doesn't match the public key so either the config is broken or you haven't updated the key but the cert (or vice-versa). 2015-05-26 14:19 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On May 25, 2015, at 10:46 PM, Scott A. Johnson <scott.a.johnson@gmail.com> wrote:
I’m using version 2.2.0 which is installed with Mac OS X 10.10.3. Trying to get EAP-TLS working. I *think* I have my certificates installed, and permissions set correctly, however my clients can’t connect and the error, best I can tell, is certificate based as I receive the error “certificate signature failure”. Where I’m not sure is if this means I have something wrong with my public/private key, an error in my config files with FreeRadius, or something else entirely.
Magic... deep magic.
Not really, but sometimes SSL feels like that.
--> verify error:num=7:certificate signature failure [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error
That's not good. I've seen it from time to time, and honestly... it's not clear what's going on. I'm not familiar enough with the SSL internals to say.
Try using the fake certificates in raddb/certs/. If those don't work, then the system is broken. Something in the client, or OpenSSL, or 2.2.0. If those certificates do work, then the certificates you're using are broken somehow.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html