On Jul 14, 2020, at 8:53 AM, Piviul <piviul@riminilug.it> wrote:
(30) eap_peap: <<< recv UNKNOWN TLS VERSION ?0304? [length 0048] (30) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure (30) eap_peap: ERROR: TLS Alert
Windows is doing TLS 1.3. There is no standard yet for EAP with TLS 1.3 Edit mods-available/eap, and set: tls_max_version = "1.2"
and on the win7 client:
(14) eap_peap: <<< recv TLS 1.2 [length 0002] (14) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
You didn't put the root CA onto the Windows machine.
Winxp e win7 client both seems to fail during handshake phase; linux didn't. From successfully linux logs I can find:
eap_peap: Peer indicated complete TLS record size will be 126
but reading winxp logs I can see:
eap_peap: Peer indicated complete TLS record size will be 77 bytes
and win7:
eap_peap: Peer indicated complete TLS record size will be 7 bytes
77 or 7 bytes seems to me not to be enought for a TLS record size isn't it? That's the problem?
No. The record sizes depend on all kinds of things. You don't debug a TCP connection by noting that some packets are 64 bytes and others are 200 bytes.
Any way can anyone please help me to find why win{xp,7} clients can't communicate using EAP-TLS?
The error messages from OpenSSL aren't perfect, but they explain exactly what the issue is. Alan DeKok.