Failed in SSLv3 read client certificate A
Trying to use EAP-TLS to authenticate an iPad on radius going through a wireless access point that is controlled by a Lan controller Cisco 2504. Seeing the following in the radius logs: (48) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A (48) eap_tls: ERROR: SSL says: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (48) eap_tls: ERROR: SSL_read failed in a system call (-1), TLS session failed (48) eap_tls: ERROR: TLS receive handshake failed during operation My questions: #1) I'm hoping someone may have experienced this before and knows exactly how to fix it. "Oh yeah, you need to do blah on the iPad" or "Oh you need to trust the CA on the lan controller" or whatever #2) Is there a way to get more information from radius? It's unclear whether Radius (a) received the client certificate but does not understand it, or (b) did not receive the client certificate at all -- --- Michael Martinez http://www.michael--martinez.com
Anyone have any thoughts on this, please? On Thu, Jun 2, 2016 at 7:45 AM, Michael Martinez <mwtzzz@gmail.com> wrote:
Trying to use EAP-TLS to authenticate an iPad on radius going through a wireless access point that is controlled by a Lan controller Cisco 2504. Seeing the following in the radius logs:
(48) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A (48) eap_tls: ERROR: SSL says: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (48) eap_tls: ERROR: SSL_read failed in a system call (-1), TLS session failed (48) eap_tls: ERROR: TLS receive handshake failed during operation
My questions:
#1) I'm hoping someone may have experienced this before and knows exactly how to fix it. "Oh yeah, you need to do blah on the iPad" or "Oh you need to trust the CA on the lan controller" or whatever
#2) Is there a way to get more information from radius? It's unclear whether Radius (a) received the client certificate but does not understand it, or (b) did not receive the client certificate at all
-- --- Michael Martinez http://www.michael--martinez.com
-- --- Michael Martinez http://www.michael--martinez.com
(48) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A (48) eap_tls: ERROR: SSL says: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure (48) eap_tls: ERROR: SSL_read failed in a system call (-1), TLS session failed (48) eap_tls: ERROR: TLS receive handshake failed during operation
Does the iPad have the CA certificate installed? Does it have the *correct* CA certificate installed? If there are intermediates, is the whole *chain* installed? See https://www.mail-archive.com/search?l=freeradius-users@lists.freeradius.org&...
#2) Is there a way to get more information from radius? It's unclear whether Radius (a) received the client certificate but does not understand it, or (b) did not receive the client certificate at all
As per the above link, chances are that the iPad didn't understand the cert, didn't like it, or something else is wrong with it, and subsequently said "Thanks but no thanks." Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
On Mon, Jun 6, 2016 at 6:31 AM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
Does the iPad have the CA certificate installed? Does it have the *correct* CA certificate installed? If there are intermediates, is the whole *chain* installed?
Yes, we just double-checked this. Still getting the same error. Here's a little more info from farther up in the logs. As you can see, it seems to do everything correctly up to the point where it requests the client certificate A: (299) eap: Calling submodule eap_tls to process data (299) eap_tls: Continuing EAP-TLS (299) eap_tls: Peer indicated complete TLS record size will be 142 bytes (299) eap_tls: Got complete TLS record (142 bytes) (299) eap_tls: [eaptls verify] = length included (299) eap_tls: (other): before/accept initialization (299) eap_tls: TLS_accept: before/accept initialization (299) eap_tls: <<< recv TLS 1.0 Handshake [length 0089], ClientHello (299) eap_tls: TLS_accept: SSLv3 read client hello A (299) eap_tls: >>> send TLS 1.0 Handshake [length 0059], ServerHello (299) eap_tls: TLS_accept: SSLv3 write server hello A (299) eap_tls: >>> send TLS 1.0 Handshake [length 08cd], Certificate (299) eap_tls: TLS_accept: SSLv3 write certificate A (299) eap_tls: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange (299) eap_tls: TLS_accept: SSLv3 write key exchange A (299) eap_tls: >>> send TLS 1.0 Handshake [length 00b4], CertificateRequest (299) eap_tls: TLS_accept: SSLv3 write certificate request A (299) eap_tls: TLS_accept: SSLv3 flush data (299) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (299) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (299) eap_tls: In SSL Handshake Phase (299) eap_tls: In SSL Accept mode (299) eap_tls: [eaptls process] = handled (299) eap: Sending EAP Request (code 1) ID 4 length 1004 (299) eap: EAP session adding &reply:State = 0x41fc0bf743f80689 (299) [eap] = handled
See https://www.mail-archive.com/search?l=freeradius-users@lists.freeradius.org&...
#2) Is there a way to get more information from radius? It's unclear whether Radius (a) received the client certificate but does not understand it, or (b) did not receive the client certificate at all
As per the above link, chances are that the iPad didn't understand the cert, didn't like it, or something else is wrong with it, and subsequently said "Thanks but no thanks."
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- --- Michael Martinez http://www.michael--martinez.com
We really need to get this working. We're stumped on it. Anybody have any thoughts? -- --- Michael Martinez http://www.michael--martinez.com
On Jun 17, 2016, at 4:23 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
We really need to get this working. We're stumped on it. Anybody have any thoughts?
http://lemonjar.com/iosconsole/ Look through the logs. See what the supplicant is doing. -Arran
On Fri, Jun 17, 2016 at 1:25 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
http://lemonjar.com/iosconsole/
Look through the logs.
See what the supplicant is doing.
Excellent suggestion. Thanks. On Fri, Jun 17, 2016 at 1:26 PM, Alan DeKok <aland@deployingradius.com> wrote:
Set disable_tlsv1_2 in the EAP module.
I'm not sure what that does, but I'll look into it. Thanks!
But realistically... see the client logs for why the client doesn't like the server.
Yes, I'm going to ask the IT guy to do this. thank you. On Fri, Jun 17, 2016 at 1:34 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
There are, fortunately, and iOS devices well even send them to you over syslog :)
Good to know. Thanks for the suggestions, guys. If we can get this working, then it wraps up this project. This is the final little piece.
On Jun 17, 2016, at 4:23 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
We really need to get this working. We're stumped on it. Anybody have any thoughts?
Set disable_tlsv1_2 in the EAP module. But realistically... see the client logs for why the client doesn't like the server. Oh, there are no client logs? The people who sold you the client hate you. :( Alan DeKok.
On Jun 17, 2016, at 4:26 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 17, 2016, at 4:23 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
We really need to get this working. We're stumped on it. Anybody have any thoughts?
Set disable_tlsv1_2 in the EAP module.
But realistically... see the client logs for why the client doesn't like the server.
Oh, there are no client logs? The people who sold you the client hate you.
There are, fortunately, and iOS devices well even send them to you over syslog :) -Arran
On Fri, Jun 17, 2016 at 1:26 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 17, 2016, at 4:23 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
We really need to get this working. We're stumped on it. Anybody have any thoughts?
Set disable_tlsv1_2 in the EAP module.
Maybe slightly off-topic, but how do I find which ssl library my freeradius server is compiled with? I do: root@2-rpi:/usr/local/freeradius/etc/raddb# ldd /usr/local/freeradius/sbin/radiusd /usr/lib/arm-linux-gnueabihf/libcofi_rpi.so (0xb6f7e000) libfreeradius-server.so => /usr/local/freeradius/lib/libfreeradius-server.so (0xb6f4e000) .....<snip> But nothing about ssl libraries shows up there. I do: strings /usr/local/freeradius/sbin/radiusd | grep -iE "openssl.*1" and I see a lot of references to openssl 1.0.2.f: Diffie-Hellman part of OpenSSL 1.0.2f 28 Jan 2016 so, pretty clear it's compiled against 1.0.2.f. But out of curiosity is there a way to definitely find out? And, it seems "disable_tlsv1_2" was added as a way to get around some problems with older versions of openssl. But will it actually help in my case?
On 18 Jun 2016, at 14:00, Michael Martinez <mwtzzz@gmail.com> wrote:
On Fri, Jun 17, 2016 at 1:26 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 17, 2016, at 4:23 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
We really need to get this working. We're stumped on it. Anybody have any thoughts?
Set disable_tlsv1_2 in the EAP module.
Maybe slightly off-topic, but how do I find which ssl library my freeradius server is compiled with? I do: root@2-rpi:/usr/local/freeradius/etc/raddb# ldd /usr/local/freeradius/sbin/radiusd /usr/lib/arm-linux-gnueabihf/libcofi_rpi.so (0xb6f7e000) libfreeradius-server.so => /usr/local/freeradius/lib/libfreeradius-server.so (0xb6f4e000) .....<snip>
But nothing about ssl libraries shows up there.
libfreeradius-server.so links against libssl, radiusd and the utilities don't. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On 18 Jun 2016, at 14:00, Michael Martinez <mwtzzz@gmail.com> wrote:
On Fri, Jun 17, 2016 at 1:26 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 17, 2016, at 4:23 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
We really need to get this working. We're stumped on it. Anybody have any thoughts?
Set disable_tlsv1_2 in the EAP module.
Maybe slightly off-topic, but how do I find which ssl library my freeradius server is compiled with? I do: root@2-rpi:/usr/local/freeradius/etc/raddb# ldd /usr/local/freeradius/sbin/radiusd /usr/lib/arm-linux-gnueabihf/libcofi_rpi.so (0xb6f7e000) libfreeradius-server.so => /usr/local/freeradius/lib/libfreeradius-server.so (0xb6f4e000) .....<snip>
But nothing about ssl libraries shows up there.
I do: strings /usr/local/freeradius/sbin/radiusd | grep -iE "openssl.*1" and I see a lot of references to openssl 1.0.2.f: Diffie-Hellman part of OpenSSL 1.0.2f 28 Jan 2016
so, pretty clear it's compiled against 1.0.2.f. But out of curiosity is there a way to definitely find out?
/usr/local/freeradius/sbin/radiusd -v Is more accurate than using ldd. It calls a version function in OpenSSL to get the version, it doesn't use compile time macros.
And, it seems "disable_tlsv1_2" was added as a way to get around some problems with older versions of openssl. But will it actually help in my case?
Probably not. But just in case the apple supplicant is broken its worth trying. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On Sat, Jun 18, 2016 at 4:50 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
/usr/local/freeradius/sbin/radiusd -v
Is more accurate than using ldd. It calls a version function in OpenSSL to get the version, it doesn't use compile time macros.
Awesome, thanks. FYI, we were able to crack open the iPad logs, and found the following interesting entries: Jun 21 14:15:03 iPad eapolclient[178] <Error>: SecTrustEvaluate [leaf AnchorTrusted] Jun 21 14:15:03 iPad eapolclient[178] <Notice>: [eaptls_plugin.c:291] eaptls_verify_server(): server certificate not trusted status 1001 9807 Jun 21 14:15:03 iPad kernel[0] <Notice>: 000220.437816 wlan0.N[82] AppleBCMWLANCore::setCIPHER_KEY(): [eapolclient]: type = CIPHER_MSK, index = 0, flags = 0x0, key length = 0, key rsc length = 0 Jun 21 14:15:03 iPad eapolclient[178] <Notice>: en0 EAPTLS: authentication failed with status 1001 So, it appears we need to set the iPad to trust my self-signed server certificate, and then it should work.
Ok I may have spoken too soon. I just found this online: "Apparently starting with iOS 9.1, if the RADIUS cert does not contain the "Key Encipherment" flag, iOS will reject authentication with: Oct 1 11:27:29.752545 TiPadAir2 eapolclient[455]: [eaptls_plugin.c:292] eaptls_verify_server(): server certificate not trusted status 1001 -9807" I'm guessing this is probably what I need to do to get this to work. Anyone know what this "Key Encipherment" flag is, and how to include it in the Radius cert? On Wed, Jun 22, 2016 at 10:12 AM, Michael Martinez <mwtzzz@gmail.com> wrote:
On Sat, Jun 18, 2016 at 4:50 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
/usr/local/freeradius/sbin/radiusd -v
Is more accurate than using ldd. It calls a version function in OpenSSL to get the version, it doesn't use compile time macros.
Awesome, thanks.
FYI, we were able to crack open the iPad logs, and found the following interesting entries:
Jun 21 14:15:03 iPad eapolclient[178] <Error>: SecTrustEvaluate [leaf AnchorTrusted] Jun 21 14:15:03 iPad eapolclient[178] <Notice>: [eaptls_plugin.c:291] eaptls_verify_server(): server certificate not trusted status 1001 9807 Jun 21 14:15:03 iPad kernel[0] <Notice>: 000220.437816 wlan0.N[82] AppleBCMWLANCore::setCIPHER_KEY(): [eapolclient]: type = CIPHER_MSK, index = 0, flags = 0x0, key length = 0, key rsc length = 0 Jun 21 14:15:03 iPad eapolclient[178] <Notice>: en0 EAPTLS: authentication failed with status 1001
So, it appears we need to set the iPad to trust my self-signed server certificate, and then it should work.
-- --- Michael Martinez http://www.michael--martinez.com
On Jun 22, 2016, at 1:16 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
Ok I may have spoken too soon. I just found this online: "Apparently starting with iOS 9.1, if the RADIUS cert does not contain the "Key Encipherment" flag, iOS will reject authentication with: Oct 1 11:27:29.752545 TiPadAir2 eapolclient[455]: [eaptls_plugin.c:292] eaptls_verify_server(): server certificate not trusted status 1001 -9807"
That's not *quite* what it says: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/iOS-OSX-Secu... ... It turns out that if you use a ClearPass-signed RADIUS certificate and you do not specify https as the certificate type when you sign the CSR, ... I haven't seen any problems with iOS.
I'm guessing this is probably what I need to do to get this to work. Anyone know what this "Key Encipherment" flag is, and how to include it in the Radius cert?
My guess is that you created a server certifcate without the xpextensions file. i.e. printing a *good* certificate gets me: ... X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: URI:http://www.example.com/example_ca.crl ... Your server certificate is probably missing those extensions. Fix that, and you won't need the key usage flag. Alan DeKok.
On Wed, Jun 22, 2016 at 10:44 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 22, 2016, at 1:16 PM, Michael Martinez <mwtzzz@gmail.com> wrote: That's not *quite* what it says:
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/iOS-OSX-Secu...
... It turns out that if you use a ClearPass-signed RADIUS certificate and you do not specify https as the certificate type when you sign the CSR, ...
I haven't seen any problems with iOS.
My guess is that you created a server certifcate without the xpextensions file. i.e. printing a *good* certificate gets me:
... X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: URI:http://www.example.com/example_ca.crl ...
Your server certificate is probably missing those extensions.
I'm using the Makefile which is included in the freeradius/examples/certs folder, and it already includes xpextensions. Here's what I see when I double-check my server.crt: X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 CRL Distribution Points: Full Name: URI:http://www.example.com/example_ca.crl Any other thoughts or suggestions?
On Jun 22, 2016, at 2:18 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
I'm using the Makefile which is included in the freeradius/examples/certs folder, and it already includes xpextensions. Here's what I see when I double-check my server.crt:
Then I don't know. I use iOS devices every day with FreeRADIUS, and I've never seen that error. Alan DeKok.
On Wed, Jun 22, 2016 at 02:39:19PM -0400, Alan DeKok wrote:
Then I don't know. I use iOS devices every day with FreeRADIUS, and I've never seen that error.
Ditto. On Wed, Jun 22, 2016 at 10:12:28AM -0700, Michael Martinez wrote:
So, it appears we need to set the iPad to trust my self-signed server certificate, and then it should work.
This makes me wonder. Have you tried with a standard CAcert/Server Cert, rather than self-signed? Trust the CAcert on the device, not a self-signed server cert. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Hi,
I'm using the Makefile which is included in the freeradius/examples/certs folder, and it already includes xpextensions. Here's what I see when I double-check my server.crt:
what age/version of the server - the Makefiule has been changes a lot - we keep up with requirements..... its likely for example, that with old makefil you still have eg MD5 root CA or server cert - iOS 9 will *not* like that - use SHA-256 now - grab latest source code/Makefile.... we havent done anything special with our local CA and RADIUS server cert - iOS devices all fine. (how are you deploying config - getting the root CA onto the devices - a mobileconfig file? ) alan
Happy to report this issue was resolved by going onto the iPad and importing and trusting the radius server public cert. Nothing needed to be done on the server side. On Wed, Jun 22, 2016 at 1:44 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
I'm using the Makefile which is included in the freeradius/examples/certs folder, and it already includes xpextensions. Here's what I see when I double-check my server.crt:
what age/version of the server - the Makefiule has been changes a lot - we keep up with requirements..... its likely for example, that with old makefil you still have eg MD5 root CA or server cert - iOS 9 will *not* like that - use SHA-256 now - grab latest source code/Makefile....
we havent done anything special with our local CA and RADIUS server cert - iOS devices all fine. (how are you deploying config - getting the root CA onto the devices - a mobileconfig file? )
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- --- Michael Martinez http://www.michael--martinez.com
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Matthew Newton -
Michael Martinez -
Stefan Paetow