rlm_eap: SSL error
Hi List, FreeRADIUS 1.1.4 on FreeBSD (5-STABLE), Apple Airport Extreme NAS, MacBook Pro client, WPA2 Enterprise with 2k keys. I'm having the much mentioned but very hard to get real information about error below: Wed Jan 17 08:00:11 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Jan 17 08:00:11 2007 : Error: rlm_eap: SSL error error: 00000000:lib(0):func(0):reason(0) Wed Jan 17 08:00:11 2007 : Error: rlm_eap: SSL error error: 00000000:lib(0):func(0):reason(0) Wed Jan 17 08:00:11 2007 : Auth: Login OK: [wireless- client.jamver.id.au] (from client apple-basestation port 255 cli xx- xx-xx-xx-xx-xx) Now, the best explanation I can find on list is that it's safe to ignore the 3 lines of errors, which, although appears to be very accurate in that they have no effect on the running service, should not be there if they are really not errors. Can anybody explain what is actually causing these errors (and why) and what would be required to silence them? cheers, James
James Lever wrote: ...
I'm having the much mentioned but very hard to get real information about error below:
Wed Jan 17 08:00:11 2007 : Error: TLS_accept:error in SSLv3 read client certificate A
That just means there's no client certificate.
Wed Jan 17 08:00:11 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Wed Jan 17 08:00:11 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
OpenSSL puts a lot of effort into telling the application that there was an error, and then saying "nope, no error" when asked for more details.
Now, the best explanation I can find on list is that it's safe to ignore the 3 lines of errors, which, although appears to be very accurate in that they have no effect on the running service, should not be there if they are really not errors.
Can anybody explain what is actually causing these errors (and why) and what would be required to silence them?
Fix OpenSSL. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
On 17/01/2007, at 4:47 PM, Alan DeKok wrote:
James Lever wrote:
Wed Jan 17 08:00:11 2007 : Error: TLS_accept:error in SSLv3 read client certificate A That just means there's no client certificate.
Interesting given I'm only allowing EAP-TLS access to my wireless LAN (or attempting to) Below is the log output when run in full debugging (excerpt) -- rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0be8], Certificate chain-depth=1, error=0 --> User-Name = clientCN --> BUF-Name = :30 2007 : Info: Ready to process requests. --> subject = /C=AU/issuerDN --> issuer = /C=AU/issuerDN --> verify return:1 radius_xlat: 'clientCN' rlm_eap_tls: checking certificate CN (clientCN) with xlat'ed value (clientCN) chain-depth=0, error=0 --> User-Name = clientCN --> BUF-Name = clientCN --> subject = /C=AU/clientDN --> issuer = /C=AU/issuerDN --> verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 -- When I try to do the same with a Certificate from another CA it fails as expected. So why does the EAP-TLS login work even though it complains that no certificate was received? Is the certificate actually validated and hence there really was no error, or is FreeRADIUS or OpenSSL authorising where it should not? cheers, James
Hi, please mark the difference between those two "errors":
Wed Jan 17 08:00:11 2007 : Error: TLS_accept:error in SSLv3 read client certificate A
(other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
The first one, which looks a bit scarier, has already been explained. The second one happens later in time with respect to the ongoing conversation between freeradius and your supplicant, when freeradius has eventually recieved your client certificate. So you just get to see the "error" message meaning that no error occured. hth K. Hoercher
participants (3)
-
Alan DeKok -
James Lever -
K. Hoercher