Hi, this is a followup to my previous posts, but I'd rather like to forget those. Please accept my apologies for - not reading RFC 2716 again before posting - screwing up the EAP-TTLS/PAP tests, they fail, too (makes much more sense, btw) - not translating an SSL flags octet of value 0x40 correctly to binary At least the approach of compairing the working to failing situation seems to give a good starting point.
I suggest looking at the packet traces with wireshark. It does a good job of piecing the packets together. yep, see attached pcaps from the respective server interfaces.
What ovbiously differs, is the SSL Flags octet in Byte 5 of Packet 12 in each .pcap recording (which is consistent with the client side analysis of eapol_test output) It is 0x04 in the working case and 0x00 in the fail case. I.e. in the working case, the server sets the M or "More Fragments" bit because there are more fragments to deliver. AFAIU, the negotiations goes like this: In both cases, it we have the EAP Start in Packet 4. In the OK case, the server continues to send (and announce by the M bit) EAP fragments up to Packet 16 which correctly lacks the M bit because it contains the last fragment of this message. In the fail case, the missing M bit in Packet 12 mistakenly informs the client that this is it. IMO, any client bothering to verify the server cert will bail out here. The pcaps file are small (26 and 14 Frames) and are available for download here: https://hessenbox.uni-marburg.de/getlink/fi4uTVNtu63s93cTpxpNrt4U/radius-cer... https://hessenbox.uni-marburg.de/getlink/fiDUMxNR3AuATuGTBMPzcbmq/radius-fai... For those who don't like the binary files, please find a text version of the detailed wireshark EAP view of the (IMO) crucial frame 12 of each capture below (could you get it this detailed with something like tcpdump -vvr <file.pcap>?) Martin :::::::::::::: Wireshark view of Frame 12 from radius-cert-ok.pcap :::::::::::::: Frame 12: 1106 bytes on wire (8848 bits), 1106 bytes captured (8848 bits) Ethernet II, Src: Vmware_9e:04:cc (00:50:56:9e:04:cc), Dst: Vmware_9e:9d:fd (00:50:56:9e:9d:fd) Internet Protocol Version 4, Src: 172.25.1.26, Dst: 172.25.1.136 User Datagram Protocol, Src Port: 1812, Dst Port: 52334 RADIUS Protocol Code: Access-Challenge (11) Packet identifier: 0x5 (5) Length: 1064 Authenticator: a2087c11d371aab961d06781244abb8f [This is a response to a request in frame 11] [Time from request: 0.000416000 seconds] Attribute Value Pairs AVP: t=EAP-Message(79) l=255 Segment[1] Type: 79 Length: 255 EAP fragment: 010603e819403040a03ea03c863a687474703a2f2f636470... AVP: t=EAP-Message(79) l=255 Segment[2] Type: 79 Length: 255 EAP fragment: 2d726f6f742d67322d63612f7075622f6361636572742f63... AVP: t=EAP-Message(79) l=255 Segment[3] Type: 79 Length: 255 EAP fragment: 5c84a829396c94fc1092067b9eeed846b41bb5030c38d9dc... AVP: t=EAP-Message(79) l=243 Last Segment[4] Type: 79 Length: 243 EAP fragment: 6d732054727573742043656e746572312530230603550403... Extensible Authentication Protocol Code: Request (1) Id: 6 Length: 1000 Type: Protected EAP (EAP-PEAP) (25) EAP-TLS Flags: 0x40 0... .... = Length Included: False .1.. .... = More Fragments: True ..0. .... = Start: False .... .000 = Version: 0 [6 EAP-TLS Fragments (5266 bytes): #6(994), #8(994), #10(994), #12(994), #14(994), #16(296)] Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 89 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 85 Version: TLS 1.2 (0x0303) Random: ececff1afc020cca949fef413b65d9bb9a81ccbb7318c8de... Session ID Length: 32 Session ID: 3dc4544aae705e713864d2afb2a807dd999588e556a041e6... Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Compression Method: null (0) Extensions Length: 13 Extension: renegotiation_info (len=1) Extension: ec_point_formats (len=4) TLSv1.2 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 4820 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 4816 Certificates Length: 4813 Certificates (4813 bytes) Certificate Length: 2046 Certificate: 308207fa308206e2a003020102020c22ff0567818198c001... (id-at-commonName=radius.staff.uni-marburg.de,id-at-organizationName=Philipps-Universitaet Marburg,id-at-localityName=Marburg,id-at-stateOrProvinceName=Hessen,id-at-countryNa signedCertificate version: v3 (2) serialNumber: 0x22ff0567818198c00178abea signature (sha256WithRSAEncryption) issuer: rdnSequence (0) rdnSequence: 4 items (id-at-commonName=DFN-Verein Global Issuing CA,id-at-organizationalUnitName=DFN-PKI,id-at-organizationName=Verein zur Foerderung eines Deutschen Fo,id-at-countryName=DE) RDNSequence item: 1 item (id-at-countryName=DE) RelativeDistinguishedName item (id-at-countryName=DE) Id: 2.5.4.6 (id-at-countryName) CountryName: DE RDNSequence item: 1 item (id-at-organizationName=Verein zur Foerderung eines Deutschen Fo) RelativeDistinguishedName item (id-at-organizationName=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: uTF8String (4) uTF8String: Verein zur Foerderung eines Deutschen Forschungsnetzes e. V. RDNSequence item: 1 item (id-at-organizationalUnitName=DFN-PKI) RelativeDistinguishedName item (id-at-organizationalUnitName=DFN-PKI) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: uTF8String (4) uTF8String: DFN-PKI RDNSequence item: 1 item (id-at-commonName=DFN-Verein Global Issuing CA) RelativeDistinguishedName item (id-at-commonName=DFN-Verein Global Issuing CA) Id: 2.5.4.3 (id-at-commonName) DirectoryString: uTF8String (4) uTF8String: DFN-Verein Global Issuing CA validity subject: rdnSequence (0) subjectPublicKeyInfo extensions: 10 items algorithmIdentifier (sha256WithRSAEncryption) Padding: 0 encrypted: 64daeebb8fe3dedcd5de2e605133b23996eaa15f87d585d3... Certificate Length: 1456 Certificate: 308205ac30820494a00302010202071b63bad01e2c3d300d... (id-at-commonName=DFN-Verein Global Issuing CA,id-at-organizationalUnitName=DFN-PKI,id-at-organizationName=Verein zur Foerderung eines Deutschen Fo,id-at-countryName=DE) signedCertificate version: v3 (2) serialNumber: 7709478377892925 signature (sha256WithRSAEncryption) issuer: rdnSequence (0) rdnSequence: 4 items (id-at-commonName=DFN-Verein Certification Authority 2,id-at-organizationalUnitName=DFN-PKI,id-at-organizationName=Verein zur Foerderung eines Deutschen Fo,id-at-countryName=DE) RDNSequence item: 1 item (id-at-countryName=DE) RelativeDistinguishedName item (id-at-countryName=DE) Id: 2.5.4.6 (id-at-countryName) CountryName: DE RDNSequence item: 1 item (id-at-organizationName=Verein zur Foerderung eines Deutschen Fo) RelativeDistinguishedName item (id-at-organizationName=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: Verein zur Foerderung eines Deutschen Forschungsnetzes e. V. RDNSequence item: 1 item (id-at-organizationalUnitName=DFN-PKI) RelativeDistinguishedName item (id-at-organizationalUnitName=DFN-PKI) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: DFN-PKI RDNSequence item: 1 item (id-at-commonName=DFN-Verein Certification Authority 2) RelativeDistinguishedName item (id-at-commonName=DFN-Verein Certification Authority 2) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: DFN-Verein Certification Authority 2 validity subject: rdnSequence (0) subjectPublicKeyInfo extensions: 7 items algorithmIdentifier (sha256WithRSAEncryption) Padding: 0 encrypted: 817845a44ea47f0e55f009b16a3e78cc6835a91cf3959e3f... Certificate Length: 1302 Certificate: 30820512308203faa003020102020900e30bd5f8af25d981... (id-at-commonName=DFN-Verein Certification Authority 2,id-at-organizationalUnitName=DFN-PKI,id-at-organizationName=Verein zur Foerderung eines Deutschen Fo,id-at-countryName= signedCertificate version: v3 (2) serialNumber: 16360405335420557697 signature (sha256WithRSAEncryption) issuer: rdnSequence (0) rdnSequence: 4 items (id-at-commonName=T-TeleSec GlobalRoot Class 2,id-at-organizationalUnitName=T-Systems Trust Center,id-at-organizationName=T-Systems Enterprise Services GmbH,id-at-countryName=DE) RDNSequence item: 1 item (id-at-countryName=DE) RelativeDistinguishedName item (id-at-countryName=DE) Id: 2.5.4.6 (id-at-countryName) CountryName: DE RDNSequence item: 1 item (id-at-organizationName=T-Systems Enterprise Services GmbH) RelativeDistinguishedName item (id-at-organizationName=T-Systems Enterprise Services GmbH) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: uTF8String (4) uTF8String: T-Systems Enterprise Services GmbH RDNSequence item: 1 item (id-at-organizationalUnitName=T-Systems Trust Center) RelativeDistinguishedName item (id-at-organizationalUnitName=T-Systems Trust Center) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: uTF8String (4) uTF8String: T-Systems Trust Center RDNSequence item: 1 item (id-at-commonName=T-TeleSec GlobalRoot Class 2) RelativeDistinguishedName item (id-at-commonName=T-TeleSec GlobalRoot Class 2) Id: 2.5.4.3 (id-at-commonName) DirectoryString: uTF8String (4) uTF8String: T-TeleSec GlobalRoot Class 2 validity subject: rdnSequence (0) subjectPublicKeyInfo extensions: 7 items algorithmIdentifier (sha256WithRSAEncryption) Padding: 0 encrypted: 870bff3e029b65c8562dd63b9a988b714fdaba29aa21f946... TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 333 Handshake Protocol: Server Key Exchange Handshake Type: Server Key Exchange (12) Length: 329 EC Diffie-Hellman Server Params TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 4 Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0 AVP: t=Message-Authenticator(80) l=18 val=01c86e83e5d890a95b7f3e39608a666b Type: 80 Length: 18 Message-Authenticator: 01c86e83e5d890a95b7f3e39608a666b AVP: t=State(24) l=18 val=296438242c62210883478b4a45d527cf Type: 24 Length: 18 State: 296438242c62210883478b4a45d527cf :::::::::::::: Wireshark view of Frame 12 from radius-fail.pcap :::::::::::::: Frame 12: 1095 bytes on wire (8760 bits), 1095 bytes captured (8760 bits) Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00) Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1 User Datagram Protocol, Src Port: 1812, Dst Port: 59048 RADIUS Protocol Code: Access-Challenge (11) Packet identifier: 0x5 (5) Length: 1053 Authenticator: 7977f9cc3d9ebeac79bfe4ffe441e590 [This is a response to a request in frame 11] [Time from request: 0.004114000 seconds] Attribute Value Pairs AVP: t=EAP-Message(79) l=255 Segment[1] Type: 79 Length: 255 EAP fragment: 010603dd1900873081843040a03ea03c863a687474703a2f... AVP: t=EAP-Message(79) l=255 Segment[2] Type: 79 Length: 255 EAP fragment: 6f62616c2d726f6f742d67322d63612f7075622f63616365... AVP: t=EAP-Message(79) l=255 Segment[3] Type: 79 Length: 255 EAP fragment: 3e9604025c84a829396c94fc1092067b9eeed846b41bb503... AVP: t=EAP-Message(79) l=232 Last Segment[4] Type: 79 Length: 232 EAP fragment: 8a429cdf901457b8ffce6b85a19191978a4abcc6bd7185aa... Extensible Authentication Protocol Code: Request (1) Id: 6 Length: 989 Type: Protected EAP (EAP-PEAP) (25) EAP-TLS Flags: 0x00 0... .... = Length Included: False .0.. .... = More Fragments: False ..0. .... = Start: False .... .000 = Version: 0 [4 EAP-TLS Fragments (3965 bytes): #6(994), #8(994), #10(994), #12(983)] Secure Sockets Layer TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 93 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 89 Version: TLS 1.2 (0x0303) Random: e12ebb4fffc990695388c0b31c4bf08cc0816c3e9c7ca195... Session ID Length: 32 Session ID: ccb87b0f29e0da7c4587a6fc24201b8731ad725258199b3b... Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Compression Method: null (0) Extensions Length: 17 Extension: renegotiation_info (len=1) Extension: ec_point_formats (len=4) Extension: extended_master_secret (len=0) TLSv1.2 Record Layer: Handshake Protocol: Certificate Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 3515 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 3511 Certificates Length: 3508 Certificates (3508 bytes) Certificate Length: 2046 Certificate: 308207fa308206e2a003020102020c22ff0567818198c001... (id-at-commonName=radius.staff.uni-marburg.de,id-at-organizationName=Philipps-Universitaet Marburg,id-at-localityName=Marburg,id-at-stateOrProvinceName=Hessen,id-at-countryNa signedCertificate version: v3 (2) serialNumber: 0x22ff0567818198c00178abea signature (sha256WithRSAEncryption) issuer: rdnSequence (0) rdnSequence: 4 items (id-at-commonName=DFN-Verein Global Issuing CA,id-at-organizationalUnitName=DFN-PKI,id-at-organizationName=Verein zur Foerderung eines Deutschen Fo,id-at-countryName=DE) RDNSequence item: 1 item (id-at-countryName=DE) RelativeDistinguishedName item (id-at-countryName=DE) Id: 2.5.4.6 (id-at-countryName) CountryName: DE RDNSequence item: 1 item (id-at-organizationName=Verein zur Foerderung eines Deutschen Fo) RelativeDistinguishedName item (id-at-organizationName=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: uTF8String (4) uTF8String: Verein zur Foerderung eines Deutschen Forschungsnetzes e. V. RDNSequence item: 1 item (id-at-organizationalUnitName=DFN-PKI) RelativeDistinguishedName item (id-at-organizationalUnitName=DFN-PKI) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: uTF8String (4) uTF8String: DFN-PKI RDNSequence item: 1 item (id-at-commonName=DFN-Verein Global Issuing CA) RelativeDistinguishedName item (id-at-commonName=DFN-Verein Global Issuing CA) Id: 2.5.4.3 (id-at-commonName) DirectoryString: uTF8String (4) uTF8String: DFN-Verein Global Issuing CA validity subject: rdnSequence (0) subjectPublicKeyInfo extensions: 10 items algorithmIdentifier (sha256WithRSAEncryption) Padding: 0 encrypted: 64daeebb8fe3dedcd5de2e605133b23996eaa15f87d585d3... Certificate Length: 1456 Certificate: 308205ac30820494a00302010202071b63bad01e2c3d300d... (id-at-commonName=DFN-Verein Global Issuing CA,id-at-organizationalUnitName=DFN-PKI,id-at-organizationName=Verein zur Foerderung eines Deutschen Fo,id-at-countryName=DE) signedCertificate version: v3 (2) serialNumber: 7709478377892925 signature (sha256WithRSAEncryption) issuer: rdnSequence (0) rdnSequence: 4 items (id-at-commonName=DFN-Verein Certification Authority 2,id-at-organizationalUnitName=DFN-PKI,id-at-organizationName=Verein zur Foerderung eines Deutschen Fo,id-at-countryName=DE) RDNSequence item: 1 item (id-at-countryName=DE) RelativeDistinguishedName item (id-at-countryName=DE) Id: 2.5.4.6 (id-at-countryName) CountryName: DE RDNSequence item: 1 item (id-at-organizationName=Verein zur Foerderung eines Deutschen Fo) RelativeDistinguishedName item (id-at-organizationName=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.) Id: 2.5.4.10 (id-at-organizationName) DirectoryString: printableString (1) printableString: Verein zur Foerderung eines Deutschen Forschungsnetzes e. V. RDNSequence item: 1 item (id-at-organizationalUnitName=DFN-PKI) RelativeDistinguishedName item (id-at-organizationalUnitName=DFN-PKI) Id: 2.5.4.11 (id-at-organizationalUnitName) DirectoryString: printableString (1) printableString: DFN-PKI RDNSequence item: 1 item (id-at-commonName=DFN-Verein Certification Authority 2) RelativeDistinguishedName item (id-at-commonName=DFN-Verein Certification Authority 2) Id: 2.5.4.3 (id-at-commonName) DirectoryString: printableString (1) printableString: DFN-Verein Certification Authority 2 validity subject: rdnSequence (0) subjectPublicKeyInfo extensions: 7 items algorithmIdentifier (sha256WithRSAEncryption) Padding: 0 encrypted: 817845a44ea47f0e55f009b16a3e78cc6835a91cf3959e3f... TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 333 Handshake Protocol: Server Key Exchange Handshake Type: Server Key Exchange (12) Length: 329 EC Diffie-Hellman Server Params TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 4 Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0 AVP: t=Message-Authenticator(80) l=18 val=b4518e69f9fe31bc2518285469c3315e AVP: t=State(24) l=18 val=fa37451fff315c8630ff81bc4e7a54b3 -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. Marburg Fax: +49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg