EAP-TLS / OpenSSL Debug Output
Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3 read client certificate A Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3 read client key exchange A Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: <<< TLS 1.0 Handshake [length 0106], CertificateVerify Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3 read certificate verify A Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3 read finished A Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3 write change cipher spec A Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3 write finished A Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3 flush data Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: (other): SSL negotiation finished successfully Wed May 27 00:16:37 2015 : Debug: SSL Connection Established While Windows (including XP) as well as Apple clients (including iOS) are working great Android has issues connecting using EAP-TLS. As soon as I select a CA certificate in Android the connection is not possible. If I don't select any CA certificate the connection works, beside it's actually not EAP-TLS since the server certificate is not validated. Just for my understanding, in the above debug output which side of the
and <<< is the RADIUS server and which is the client? Does the second line means the server (left) read from the client (right)? If so does the last line means the server (left) wrote to the client (right)?
The debug output of the failing Android EAP-TLS attempt is below - in case someone is interested. Wed May 27 00:10:44 2015 : Debug: (89) eap: EAP TLS (13) Wed May 27 00:10:44 2015 : Debug: (89) eap: Calling eap_tls to process EAP data Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: Authenticate Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: processing EAP-TLS Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: eaptls_verify returned 7 Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: Done initial handshake Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS Alert read:fatal:unknown CA Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS_accept: Failed in SSLv3 read client certificate A Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: SSL says: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Wed May 27 00:10:44 2015 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. Wed May 27 00:10:44 2015 : Debug: TLS receive handshake failed during operation Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: eaptls_process returned 4 Wed May 27 00:10:44 2015 : ERROR: (89) eap: Failed continuing EAP TLS (13) session. EAP sub-module failed And for everybody else. Here is the official error return codes page for openssl https://www.openssl.org/docs/ssl/SSL_alert_type_string.html
On May 26, 2015, at 6:27 PM, Ben Humpert <ben@an3k.de> wrote:
While Windows (including XP) as well as Apple clients (including iOS) are working great Android has issues connecting using EAP-TLS. As soon as I select a CA certificate in Android the connection is not possible. If I don't select any CA certificate the connection works,
Because it's not validating the CA cert in that case.
beside it's actually not EAP-TLS since the server certificate is not validated.
Exactly.
Just for my understanding, in the above debug output which side of the
and <<< is the RADIUS server and which is the client? Does the second line means the server (left) read from the client (right)? If so does the last line means the server (left) wrote to the client (right)?
Yes.
The debug output of the failing Android EAP-TLS attempt is below - in case someone is interested.
Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS Alert read:fatal:unknown CA Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS_accept: Failed in SSLv3 read client certificate A
The client certificate was signed by a CA unknown to FreeRADIUS. You need to put the CA in the raddb/certs directory, and configure FreeRADIUS to read it. Alan DeKok.
2015-05-27 16:11 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On May 26, 2015, at 6:27 PM, Ben Humpert <ben@an3k.de> wrote:
Because it's not validating the CA cert in that case.
[...]
Exactly.
[...]
Yes.
Thanks for clarification!
The debug output of the failing Android EAP-TLS attempt is below - in case someone is interested.
Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS Alert read:fatal:unknown CA Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS_accept: Failed in SSLv3 read client certificate A
The client certificate was signed by a CA unknown to FreeRADIUS. You need to put the CA in the raddb/certs directory, and configure FreeRADIUS to read it.
The client certificate is signed by the same CA (Signing CA) that also signed the server certificate. If I specify the Signing CA cert in ca_file and try to connect with Android (with the Signing CA cert specified) I get the 'unknown CA' error. If I disable ca certificate in Android I get Wed May 27 16:53:25 2015 : Debug: (12) eap: Peer sent method TLS (13) Wed May 27 16:53:25 2015 : Debug: (12) eap: EAP TLS (13) Wed May 27 16:53:25 2015 : Debug: (12) eap: Calling eap_tls to process EAP data Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: Authenticate Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: processing EAP-TLS Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: eaptls_verify returned 7 Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: Done initial handshake Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: <<< TLS 1.0 Handshake [length 04ac], Certificate Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: TLS Verify adding attributes Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: &request:TLS-Cert-Serial := 'b24773ef84a841ea922f418cb40c6a24' Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: &request:TLS-Cert-Expiration := '200521225429Z' Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: &request:TLS-Cert-Subject := '/C=DE/ST=DE-BY/O=Example Company/CN=Signing CA' Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: &request:TLS-Cert-Issuer := '/C=DE/O=Example Company/CN=Root CA' Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: &request:TLS-Cert-Common-Name := 'Signing CA' Wed May 27 16:53:25 2015 : ERROR: (12) eap_tls: SSL says error 2 : unable to get issuer certificate Wed May 27 16:53:25 2015 : Debug: (12) eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca Wed May 27 16:53:25 2015 : ERROR: (12) eap_tls: TLS Alert write:fatal:unknown CA Wed May 27 16:53:25 2015 : Error: tls: TLS_accept: Error in SSLv3 read client certificate B Wed May 27 16:53:25 2015 : ERROR: (12) eap_tls: SSL says: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Wed May 27 16:53:25 2015 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails. This is because the server doesn't know the complete chain. Thus I now specify ChainedCert.crt in ca_file which contains the Signing CA cert in PEM format followed by the Root CA cert in PEM format. If I try to connect now (still with no ca certificate specified in Android) I can connect. If I now select the Signing CA cert in Android as ca certificate again I still get the 'unknown CA' error. If I instead specify the Root CA cert in Android I get Wed May 27 17:03:25 2015 : Debug: (26) eap: Peer sent method TLS (13) Wed May 27 17:03:25 2015 : Debug: (26) eap: EAP TLS (13) Wed May 27 17:03:25 2015 : Debug: (26) eap: Calling eap_tls to process EAP data Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: Authenticate Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: processing EAP-TLS Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: eaptls_verify returned 7 Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: Done initial handshake Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: <<< TLS 1.0 Alert [length 0002], fatal certificate_unknown Wed May 27 17:03:25 2015 : ERROR: (26) eap_tls: TLS Alert read:fatal:certificate unknown Wed May 27 17:03:25 2015 : ERROR: (26) eap_tls: TLS_accept: Failed in SSLv3 read client certificate A Wed May 27 17:03:25 2015 : ERROR: (26) eap_tls: SSL says: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown Wed May 27 17:03:25 2015 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. Wed May 27 17:03:25 2015 : Debug: TLS receive handshake failed during operation Wed May 27 17:03:25 2015 : Debug: (26) eap_tls: eaptls_process returned 4 Wed May 27 17:03:25 2015 : ERROR: (26) eap: Failed continuing EAP TLS (13) session. EAP sub-module failed In my raddb/certs directory I have the SigningCA.crt, the RootCA.crt, radius.crt (specified as certificate_file), radius.key (private_key_file) and ChainedCA.crt (ca_file).
On May 27, 2015, at 11:13 AM, Ben Humpert <ben@an3k.de> wrote:
The client certificate is signed by the same CA (Signing CA) that also signed the server certificate. If I specify the Signing CA cert in ca_file and try to connect with Android (with the Signing CA cert specified) I get the 'unknown CA' error. If I disable ca certificate in Android I get
Errors. Test it with eapol_test. Odds are it will work. Then ask Android why their supplicant doesn't work.
In my raddb/certs directory I have the SigningCA.crt, the RootCA.crt, radius.crt (specified as certificate_file), radius.key (private_key_file) and ChainedCA.crt (ca_file).
That should be fine. But vendors are well known for brutally destroying protocols so that they don't work. Alan DeKok.
Thank you very much for your help (again :). I sorted it all out. The Signing CA certificate has nameContraints set. It is only allowed to sign certificates with either an IP address from the three private address ranges or DNS names which end on .lan or .local However, the violation check should only applied onto CN if subjectAltName is not present and then only when either an DNS or IP address is specified but not if a random name for CN (eg. RADIUS server) is applied. With the original RADIUS server certificate (DN="/C=DE/O=Example Company/CN=RADIUS Server" and subjectAltName="DNS:radius.home.lan,IP:10.11.12.13") and eapol_test I got the same unknown certificate error in FR debug but in eapol_test I additionally got TLS: Certificate verification failed, error 47 (permitted subtree violation) depth 0 for '/C=DE/O=Example Company/CN=RADIUS Server' CTRL-EVENT-EAP-TLS-CERT-ERROR reason=0 depth=0 subject='/C=DE/O=Example Company/CN=RADIUS Server' err='permitted subtree violation' EAP: Status notification: remote certificate verification (param=permitted subtree violation) [...] SSL: SSL3 alert: write (local SSL3 detected an error):fatal:certificate unknown EAP: Status notification: local TLS alert (param=certificate unknown) [...] OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Sadly OpenSSL doesn't send the actual error to the server but unknown certificate instead which is like "unknown error" in windows. I then created a cert without subjectAltName but got the same error. Another new certificate with radius.home.lan as CN and still no subjectAltName and eapol_test as well as Android didn't throw an error but connected successfully. It is actually an awesome bug in OpenSSL. I ran some tests some weeks ago with OpenSSL's s_client tool and SSL Web Server and the result was that s_client doesn't check the CN field for nameConstraints violation. While all major web browsers denied the web server certificate for CN=www.google.de (because .de was not permitted) s_client reported "Verify return code: 0 (ok)". Obviously s_client behaves differently than OpenSSL itself but in both the nameConstraints validation code is completely broken and even worse than it is in Internet Explorer (which can't handle IP addresses in subjectAltName, just like OpenSSL). Thanks again and sorry for not directly using eapol_test. At least I now can more easily help others with cert problems ;) Have a great day! Ben 2015-05-27 23:30 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On May 27, 2015, at 11:13 AM, Ben Humpert <ben@an3k.de> wrote:
The client certificate is signed by the same CA (Signing CA) that also signed the server certificate. If I specify the Signing CA cert in ca_file and try to connect with Android (with the Signing CA cert specified) I get the 'unknown CA' error. If I disable ca certificate in Android I get
Errors.
Test it with eapol_test. Odds are it will work.
Then ask Android why their supplicant doesn't work.
In my raddb/certs directory I have the SigningCA.crt, the RootCA.crt, radius.crt (specified as certificate_file), radius.key (private_key_file) and ChainedCA.crt (ca_file).
That should be fine.
But vendors are well known for brutally destroying protocols so that they don't work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And here's an EAP-TLS eapol_test conf file for http://deployingradius.com/scripts/eapol_test/ :) 2015-05-28 10:29 GMT+02:00 Ben Humpert <ben@an3k.de>:
Thank you very much for your help (again :). I sorted it all out.
The Signing CA certificate has nameContraints set. It is only allowed to sign certificates with either an IP address from the three private address ranges or DNS names which end on .lan or .local However, the violation check should only applied onto CN if subjectAltName is not present and then only when either an DNS or IP address is specified but not if a random name for CN (eg. RADIUS server) is applied. With the original RADIUS server certificate (DN="/C=DE/O=Example Company/CN=RADIUS Server" and subjectAltName="DNS:radius.home.lan,IP:10.11.12.13") and eapol_test I got the same unknown certificate error in FR debug but in eapol_test I additionally got
TLS: Certificate verification failed, error 47 (permitted subtree violation) depth 0 for '/C=DE/O=Example Company/CN=RADIUS Server' CTRL-EVENT-EAP-TLS-CERT-ERROR reason=0 depth=0 subject='/C=DE/O=Example Company/CN=RADIUS Server' err='permitted subtree violation' EAP: Status notification: remote certificate verification (param=permitted subtree violation) [...] SSL: SSL3 alert: write (local SSL3 detected an error):fatal:certificate unknown EAP: Status notification: local TLS alert (param=certificate unknown) [...] OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sadly OpenSSL doesn't send the actual error to the server but unknown certificate instead which is like "unknown error" in windows.
I then created a cert without subjectAltName but got the same error. Another new certificate with radius.home.lan as CN and still no subjectAltName and eapol_test as well as Android didn't throw an error but connected successfully.
It is actually an awesome bug in OpenSSL. I ran some tests some weeks ago with OpenSSL's s_client tool and SSL Web Server and the result was that s_client doesn't check the CN field for nameConstraints violation. While all major web browsers denied the web server certificate for CN=www.google.de (because .de was not permitted) s_client reported "Verify return code: 0 (ok)". Obviously s_client behaves differently than OpenSSL itself but in both the nameConstraints validation code is completely broken and even worse than it is in Internet Explorer (which can't handle IP addresses in subjectAltName, just like OpenSSL).
Thanks again and sorry for not directly using eapol_test. At least I now can more easily help others with cert problems ;)
Have a great day!
Ben
2015-05-27 23:30 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On May 27, 2015, at 11:13 AM, Ben Humpert <ben@an3k.de> wrote:
The client certificate is signed by the same CA (Signing CA) that also signed the server certificate. If I specify the Signing CA cert in ca_file and try to connect with Android (with the Signing CA cert specified) I get the 'unknown CA' error. If I disable ca certificate in Android I get
Errors.
Test it with eapol_test. Odds are it will work.
Then ask Android why their supplicant doesn't work.
In my raddb/certs directory I have the SigningCA.crt, the RootCA.crt, radius.crt (specified as certificate_file), radius.key (private_key_file) and ChainedCA.crt (ca_file).
That should be fine.
But vendors are well known for brutally destroying protocols so that they don't work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Ben Humpert