On Sep 27, 2024, at 8:30 AM, Etienne Muesse <etienne.muesse@wi-ag.de> wrote:
I am trying to use freeradius with EAP-TLS but the client certificates are not trusted. We are using client certificates which are signed by our internal CA (signing chain is: client <- int-ca <- root-ca)
You need to configure the certificate chains as documented in the mods-available/eap module.
Here is what I did: - Put the root CA and intermediate CA into "ca_path". - Set server.pem (issued by intermediate CA) - Set key.pem - Disable CRL/OCSP checks (for testing).
The result when a client connects: /Certificate chain - 1 intermediate CA cert(s) untrusted To forbid these certificates see 'reject_unknown_intermediate_ca' (TLS) untrusted certificate with depth [2] subject name [ROOT CA CERTIFICATE] (TLS) untrusted certificate with depth [1] subject name [INT CA CERTIFICATE] (TLS) untrusted certificate with depth [0] subject name [CLIENT CERTIFICATE] tls: There are untrusted certificates in the certificate chain. Rejecting. (12) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:internal error (12) eap_tls: ERROR: (TLS) TLS - Server : Error in error (12) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed (12) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (12) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation (12) eap_tls: ERROR: [eaptls process] = fail/
For now, set reject_unknown_intermediate_ca = no
I also tried to chain the CA files or put the whole chain into the client certificate. When I try to verify with openssl, it works fine: openssl verify -CApath certs/ca certs/client.pem
Using FreeRADIUS Version 3.2.4
Am I missing something?
Mumble mumble OpenSSL weirdness. Alan DeKok.