Thank you all. I got it working but using the certificates that I have for openvpn. The strange thing is that when you actually do a dump of the key using the build system (Makefiles and cnf) in the gentoo /etc/raddb/certs directory the length is zero. There doesn't appear to be a key in there. But all I needed to know was that I was heading in the right direction. Kind regards Chris 12.01.2014, 13:12, "Alan DeKok" <aland@deployingradius.com>:
Chris Anderson wrote:
When I run freeradius with the -X option I get the following log
Attaching it in-line or as a ".txt" file would have been friendlier.
Anyways, the key lines are:
[tls] <<< TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert read:fatal:decrypt error TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
Your certificates / CA don't match. SSL isn't magic, but it fragile.
Follow the instructions on my web site: http://deployingradius.com/
Once you have it working with test certificates, then follow the *same* procedure with real certificates. It *will* work.
The only way to keep SSL happy is a careful application of procedure. If you skip a step, then the certificate chain doesn't make sense to SSL, and it will fail.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html