Hello! I have a huge problem with freeradius 2.2.0 on my eisfair server (www.eisfair.org) and users using certificates to authenticate. first of all: this should not be a "how must I config my freeradius to work?" problem. These installation with these certificates and these config worked for over 8 month very well. And suddenly I got the problem. Every client with user/pass works still fine. The problem is about the users with certificates (windows xp and android). the certificates are not outdated: list of active certificates: V 13-01-28 13:16:17 Z 01 unknown /C=DE/ST=Somewhere/O=Manske EIS/OU=Radius_Managment/CN=Manske Radius/emailAddress=xxx (the server certificate) V 14-02-17 13:16:54 Z 02 unknown /C=DE/ST=Somewhere/O=Manske EIS/OU=Radius_Managment/CN=User Name/emailAddress=xxx (one of the problematic user certificates) I tried it with check_crl = yes and no changes before the problem occurs: I updated openssl-packages from Internal Program Version: OpenSSL 1.0.0j also included the old version 0.9.7m also included the old version 0.9.8x to Internal Program Version: OpenSSL 1.0.1c also included the old version 0.9.8x But I did this over three days before the errors occured. In the meantime freeradius worked well. So, here is a shorten output of radiusd -X (I hope I do not shorten important things - btw, are there parts of such an debug output I should keep secret?) Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.x.x port 2049, id=2, length=141 User-Name = "User Name" NAS-IP-Address = 192.168.x.x # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "User Name", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry User Name at line 8 [files] expand: Hello, %{User-Name} -> Hello, User Name ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/tls [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.x.x port 2049 Reply-Message = "Hello, User Name" EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000xx State = 0x7d1f9f227c1d92c8e39xxxxxxxxx Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.x.x port 2049, id=2, length=227 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry User Name at line 8 [files] expand: Hello, %{User-Name} -> Hello, User Name ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 77 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0048], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 0031], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 08bb], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00b8], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 77 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0048], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 0031], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 08bb], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00b8], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.x.x port 2049 Reply-Message = "Hello, User Name" EAP-Message = 0x010304000dc0000009b316030100310200002d030150e4ae0ed21d8 EAP-Message = 0x3017060355040313104d616e736b6520526164697573204341301e1 EAP-Message = 0xce7ab5f8c7edc84656371d677436108b21313e1ea308f55566b8684 EAP-Message = 0x25040c300a06082b06010505070301300d06092a864886f70d01010 EAP-Message = 0xb12f24c809d9d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7d1f9f227f1c92c8e3xxxxxx Finished request 2. Going to the next request [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Sending Access-Challenge of id 2 to 192.168.x.x port 2049 Reply-Message = "Hello, User Name" EAP-Message = 0x010404000dc0000009b3301 EAP-Message = 0x3130323136313231325a17: Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.x.x port 2049 Reply-Message = "Hello, User Name" EAP-Message = 0x010404000dc0000009bxxxxxx EAP-Message = 0xfdf4cec951566e50d17 EAP-Message = 0xca21c0f495c75a3a13d EAP-Message = 0x01ff300d06092a86488 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7d1f9f227e1b92c8e39 Finished request 3. Going to the next request and so on ... but here it might be important: # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 03de], Certificate [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = User Name [tls] --> BUF-Name = Radius CA [tls] --> subject = /C=DE/ST=Somewhere/L=Somewhere/O=Manske EIS/OU=Radius_Managment/emailAddress=radius@xxxx [tls] --> issuer = /C=DE/ST=Somewhere/L=Somewhere/O=Manske EIS/OU=Radius_Managment/emailAddress=radius@xxxx [tls] --> verify return:1 --> verify error:num=7:certificate signature failure [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect (certificate signature failure): [User Name/<via Auth-Type = EAP>] (from client xxxx Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> User Name attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 2 seconds Going to the next request Waking up in 0.9 seconds. Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 2 to 192.168.x.x port 2049 TIIA, Stephan