EAP-TLS - TLS 1.0 Alert [length 0002], fatal internal_error
Hi! We're running openssl-1.0.1e-30.el6_6.4.x86_64 and freeradius-2.1.12-6.el6.x86_64 on a RHEL6. We're using EAP-TLS with Windows clients and IP phones with no problems. Now we want to add MFD systems from Canon also as clients and we get following openssl error, while running free radius in debug mode. The error happens already on the second packet the radius server gets from the MFD. First Packet: Tue Jan 13 16:19:31 2015 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.15.132.2 port 39460, id=212, length=143 User-Name = "jwf68365.mfp.tirol.local" EAP-Message = 0x0212001d016a776636383336352e6d66702e7469726f6c2e6c6f63616c NAS-IP-Address = 10.15.132.2 Service-Type = Login-User Calling-Station-Id = "F4-81-39-C8-00-CE" NAS-Port-Id = "1:3" NAS-Port = 1003 NAS-Port-Type = Ethernet Message-Authenticator = 0x46be9f4cbce0fb5c68c67280b8ff5784 .... Tue Jan 13 16:19:31 2015 : Info: [eap] EAP Identity Tue Jan 13 16:19:31 2015 : Info: [eap] processing type tls Tue Jan 13 16:19:31 2015 : Info: [tls] Requiring client certificate Tue Jan 13 16:19:31 2015 : Info: [tls] Initiate Tue Jan 13 16:19:31 2015 : Info: [tls] Start returned 1 .... Sending Access-Challenge of id 212 to 10.15.132.2 port 39460 EAP-Message = 0x011300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xea9fd73aea8cdaa07914c31bfc979134 Second Packet: Tue Jan 13 16:19:31 2015 : Debug: Going to the next request Tue Jan 13 16:19:31 2015 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.15.132.2 port 39460, id=213, length=239 User-Name = "jwf68365.mfp.tirol.local" EAP-Message = 0x0213006b0d8000000061160301005c01000058030154b537821306fa9c57603eb40ab2f22a9b3cdcc496fa91589413aa835503a4d400001e002f0035000400050009000a00030008c013c014c009c00a00330039001601000011000a00080006001700180019000b000100 NAS-IP-Address = 10.15.132.2 Service-Type = Login-User Calling-Station-Id = "F4-81-39-C8-00-CE" NAS-Port-Id = "1:3" NAS-Port = 1003 NAS-Port-Type = Ethernet State = 0xea9fd73aea8cdaa07914c31bfc979134 Message-Authenticator = 0x2482cae69f6e75122c8a7fd7bbbf72a2 ....... Tue Jan 13 16:19:31 2015 : Info: [eap] EAP packet type response id 19 length 107 Tue Jan 13 16:19:31 2015 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Tue Jan 13 16:19:31 2015 : Info: +++[eap] returns updated Tue Jan 13 16:19:31 2015 : Info: ++- else else returns updated Tue Jan 13 16:19:31 2015 : Info: Found Auth-Type = EAP Tue Jan 13 16:19:31 2015 : Info: # Executing group from file /etc/raddb//sites-enabled/default Tue Jan 13 16:19:31 2015 : Info: +- entering group EAP {...} Tue Jan 13 16:19:31 2015 : Info: [eap] Request found, released from the list Tue Jan 13 16:19:31 2015 : Info: [eap] EAP/tls Tue Jan 13 16:19:31 2015 : Info: [eap] processing type tls Tue Jan 13 16:19:31 2015 : Info: [tls] Authenticate Tue Jan 13 16:19:31 2015 : Info: [tls] processing EAP-TLS Tue Jan 13 16:19:31 2015 : Debug: TLS Length 97 Tue Jan 13 16:19:31 2015 : Info: [tls] Length Included Tue Jan 13 16:19:31 2015 : Info: [tls] eaptls_verify returned 11 Tue Jan 13 16:19:31 2015 : Info: [tls] (other): before/accept initialization Tue Jan 13 16:19:31 2015 : Info: [tls] TLS_accept: before/accept initialization Tue Jan 13 16:19:31 2015 : Info: [tls] <<< TLS 1.0 Handshake [length 005c], ClientHello Tue Jan 13 16:19:31 2015 : Info: [tls] >>> TLS 1.0 Alert [length 0002], fatal internal_error Tue Jan 13 16:19:31 2015 : Error: TLS Alert write:fatal:internal error Tue Jan 13 16:19:31 2015 : Error: TLS_accept: error in SSLv3 read client hello C Tue Jan 13 16:19:31 2015 : Error: rlm_eap: SSL error error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext Tue Jan 13 16:19:31 2015 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. Tue Jan 13 16:19:31 2015 : Debug: TLS receive handshake failed during operation Tue Jan 13 16:19:31 2015 : Info: [tls] eaptls_process returned 4 Tue Jan 13 16:19:31 2015 : Info: [eap] Handler failed in EAP/tls Tue Jan 13 16:19:31 2015 : Info: [eap] Failed in EAP select .... Sending Access-Reject of id 213 to 10.15.132.2 port 39460 EAP-Message = 0x04130004 Message-Authenticator = 0x00000000000000000000000000000000 Regards, Robert Penz
On Jan 14, 2015, at 2:00 AM, PENZ Robert <ROBERT.PENZ@TIROL.GV.AT> wrote:
We're running openssl-1.0.1e-30.el6_6.4.x86_64 and freeradius-2.1.12-6.el6.x86_64 o
Upgrade to 2.2.6. You don’t have to put it in production, but you can at least test it. If 2.2.6 works… then upgrade your production systems to it.
n a RHEL6. We're using EAP-TLS with Windows clients and IP phones with no problems. Now we want to add MFD systems from Canon also as clients and we get following openssl error, while running free radius in debug mode. The error happens already on the second packet the radius server gets from the MFD.
Many vendors have *terrible* implementations of EAP. They should just use wpa_supplicant.
Tue Jan 13 16:19:31 2015 : Info: [tls] <<< TLS 1.0 Handshake [length 005c], ClientHello Tue Jan 13 16:19:31 2015 : Info: [tls] >>> TLS 1.0 Alert [length 0002], fatal internal_error Tue Jan 13 16:19:31 2015 : Error: TLS Alert write:fatal:internal error
Something bad happened in OpenSSL.
Tue Jan 13 16:19:31 2015 : Error: TLS_accept: error in SSLv3 read client hello C Tue Jan 13 16:19:31 2015 : Error: rlm_eap: SSL error error:1408A0E3:SSL routines:SSL3_GET_CLIENT_HELLO:parse tlsext
Hmm… OpenSSL doesn’t like the tls extensions sent by the Canon systems. In short.. there’s little you can do. Call Canon and tell them to test their systems with OpenSSL. This is all weird SSL stuff that I try to avoid. SSL is insanely complicated. The OpenSSL code is worse. :( Alan DeKok.
On 14 Jan 2015, at 16:44, Alan DeKok <aland@deployingradius.com> wrote:
This is all weird SSL stuff that I try to avoid. SSL is insanely complicated. The OpenSSL code is worse. :(
That said Alan, have you tried libressl portable with FR yet to see whether things function? Just wondering. Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On Jan 14, 2015, at 12:09 PM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
That said Alan, have you tried libressl portable with FR yet to see whether things function?
No. It *should* work. But the OpenBSD guys have changed some behaviour. So the libraries will gradually get out of sync. Alan DeKok.
participants (3)
-
Alan DeKok -
PENZ Robert -
Stefan Paetow