Am 22.01.2013, 22:19 Uhr, schrieb Alan DeKok <aland@deployingradius.com>:
Stephan Manske wrote:
[tls] --> verify return:1 --> verify error:num=7:certificate signature failure [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus
That's an SSL error. It looks like the certificate being presented is wrong, or the client has made a mistake in SSL.
I think I found the issue: Yes, it is a ssl problem, the ca.key and all the certs are incompatible. And no, it is not only a ssl problem, it is a freeradius problem, too: I made a new client certificate and this can be verified: #openssl verify -verbose -CAfile ca.pem 0B.pem 0B.pem: OK I made a next one: openssl verify -verbose -CAfile ca.pem 0C.pem 0C.pem: OK but, the last one now: )# openssl verify -verbose -CAfile ca.pem 0B.pem 0B.pem: C = DE, ST = Somewhere, O = Manske EIS, OU = Radius_Managment, CN = xxxx Smart, emailAddress = user@mail.example error 7 at 0 depth lookup:certificate signature failure 3074770568:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 3074770568:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:721: 3074770568:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:215: IMHO these patch https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f96... with +ca.key ca.pem: ca.cnf index.txt serial makes ca.key dependant to the date of index.txt and serial Both files are updated every time a new client cert is build. IMHO. And so, I have a look at the cert generation: # touch serial # make client openssl req -new -out client.csr -keyout client.key -config ./client.cnf Generating a 2048 bit RSA private key .....+++ ...........................................................+++ writing new private key to 'client.key' ----- openssl req -new -x509 -keyout ca.key -out ca.pem \ -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf Generating a 2048 bit RSA private key .............................................................+++ ........................................................................................+++ writing new private key to 'ca.key' # touch serial # make client openssl req -new -x509 -keyout ca.key -out ca.pem \ -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf Generating a 2048 bit RSA private key .........................................................................................+++ ..................+++ writing new private key to 'ca.key' ----- and so on ... With this new generated ca.key the older certs are not able to validate anymore. But I do not think, that it is wanted to generate a new ca.key every time, or am I wrong? This looks similar to https://github.com/FreeRADIUS/freeradius-server/commit/7394b88e4725d47727338... 69 -server.crt: server.csr ca.key ca.pem index.txt serial 69 +server.crt: server.csr ca.key ca.pem before your patch I made this with an order-only prerequisites "|" in my private source: server.crt: server.csr ca.key ca.pem | index.txt serial I did this for the mentioned parts now, too ###################################################################### # # Create a new self-signed CA certificate # ###################################################################### ca.key ca.pem: ca.cnf | index.txt serial openssl req -new -x509 -keyout ca.key -out ca.pem \ -days $(CA_DEFAULT_DAYS) -config ./ca.cnf and it works: # touch serial # make client openssl req -new -out client.csr -keyout client.key -config ./client.cnf Generating a 2048 bit RSA private key .....................+++ .......+++ writing new private key to 'client.key' ----- openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf Check that the request matches the signature Signature ok ... # touch serial # make client openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf Check that the request matches the signature Signature ok Certificate Details: even: # touch serial # make ca.key make: `ca.key' is up to date. I hope my thoughts are right and helpfull. Ciao, Stephan