When a client try to log in with an valid certificate it works. But I get this error: TLS_accept:error in SSLv3 read client certificate A Tue Feb 7 18:34:53 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Feb 7 18:34:53 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Feb 7 18:34:53 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Feb 7 18:34:53 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Feb 7 18:34:54 2006 : Info: rlm_eap_tls: Received EAP-TLS First Fragment of the message Tue Feb 7 18:34:55 2006 : Info: rlm_eap_tls: More fragments to follow Tue Feb 7 18:34:55 2006 : Info: (other): SSL negotiation finished successfully Tue Feb 7 18:34:55 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Feb 7 18:34:55 2006 : Auth: Login OK: [schneeball.netz-von-frank/<no User-Password attribute>] (from client DasGrosseWLAN port 24 cli 000e2e3ee98f) In the client cert I have set the 1.3.6.1.5.5.7.3.2 (Client authentication) attribute. And the server cert has set the 1.3.6.1.5.5.7.3.1( Server authentication) attribute.
You can also add the following to a file called xpextensions.... RPM-vmware ssl # cat xpextensions [ xpclient_ext] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 Then when you sign the cert, you add -extfile = xpextensions That should get rid of the error, I believe I found all of this in the EAP-TLS howto, right off the main page of the freeradius site. -BOb Alan DeKok wrote:
=?ISO-8859-15?Q?Frank_B=FCttner?= <frank-buettner@gmx.net> wrote:
When a client try to log in with an valid certificate it works. But I get this error: TLS_accept:error in SSLv3 read client certificate A
Ignore it.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Frank Büttner -
Robert Myers