Hi, I'm using freeradius for EAP-TLS authentication with my WPA NAS, with MS-CHAPv2 for ppp auth (in a L2TP/IPSEC VPN) and for a while for EAP-TLS for ppp auth (about half a year ago). However, without me consciously changing anything in my setup (running Debian Squeeze, connecting clients run MS Windows Vista), EAP-TLS for ppp auth no longer works since I've tested it again recently. I now get the following error in my radius log on an auth attempt: Error: TLS Alert write:fatal:decrypt error Error: TLS_accept: failed in SSLv3 read certificate verify B Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. Now there's several issues: - I don't know what I changed which caused this behaviour (maybe an openssl update in Squeeze? Something changes in Windows Vista?) - the client certificates are valid (tested with openssl cli), and work fine when using for WPA auth - I don't really know what this error means - I can't find a solution for it. I've tried: 2048 bit (vs. 4096 bit) RSA certs and the extensions for XP for both the server and client certs Again, the same certificates work fine for WPA auth I hope someone can shed some light onto this issue, or how to pin down the exact cause of the 'rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01' error. Regards, Frank
Frank wrote:
I now get the following error in my radius log on an auth attempt:
Error: TLS Alert write:fatal:decrypt error Error: TLS_accept: failed in SSLv3 read certificate verify B Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
The client is broken.
Now there's several issues: - I don't know what I changed which caused this behaviour (maybe an openssl update in Squeeze? Something changes in Windows Vista?)
No.
- the client certificates are valid (tested with openssl cli), and work fine when using for WPA auth - I don't really know what this error means - I can't find a solution for it. I've tried: 2048 bit (vs. 4096 bit) RSA certs and the extensions for XP for both the server and client certs
Again, the same certificates work fine for WPA auth
Which doesn't use certificates.
I hope someone can shed some light onto this issue, or how to pin down the exact cause of the 'rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01' error.
Find out which client it is. Mac? Windows? Alan DeKok.
participants (2)
-
Alan DeKok -
Frank