o.k back to 3.0 [Sorry Alan B, finger trouble sent the partial message before] I'm using a local CA authority with appropriate root and intermediate certs Root Cert is *Certificate Information:**Common Name:* University of York Root CA I *Organization:* University of York*Organization Unit:* IT Services *Locality:* York*State:* North Yorkshire*Country:* GB*Valid From:* September 13, 2015*Valid To:* October 13, 2035*Issuer:* University of York Root CA I, University of York*Serial Number:* ..... Intermediate Cert is *Certificate Information:**Common Name:* University of York Intermediate CA I*Organization:* University of York*Organization Unit:* IT Services *Locality:* York*State:* North Yorkshire*Country:* GB*Valid From:* September 13, 2015*Valid To:* October 13, 2035*Issuer:* University of York Root CA I, University of York*Serial Number:* .... and the cert is *Certificate Information:**Common Name:* radsec.york.ac.uk*Organization:* University of York*Organization Unit:* IT Services*Locality:* York*State:* North Yorkshire*Country:* GB*Valid From:* November 10, 2015*Valid To:* December 6, 2017*Issuer:* University of York Intermediate CA I, University of York*Serial Number:* ..... Sending server In /etc/freeradius/sites-enabled/tls I have home_server prodn2.sharaz.info { ipv6addr = 2a03:b0c0:1:a1::a9f:8001 port = 2083 type = auth secret = radsec proto = tcp status_check = none tls { certdir = ${confdir}/certs/UoY/radsec-certs private_key_password = "< secret key>" private_key_file = ${certdir}/radsecyorkacuk.key # If ca_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/certAndCAs.pem # Trusted Root CA list # # ALL of the CA's in this list will be trusted # to issue client certificates for authentication. # # In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate # ca_file = ......... dh_file = ${confdir}/certs/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes cipher_list = "DEFAULT" } } On the receiving server in /etc/freeradius/sites-enabled/tls I've got listen { ipv6addr = * port = 2083 # # TCP and TLS sockets can accept Access-Request and # Accounting-Request on the same socket. # # auth = only Access-Request # acct = only Accounting-Request # auth+acct = both # type = auth+acct # For now, only TCP transport is allowed. proto = tcp # Send packets to the default virtual server virtual_server = eduroam clients = radsec ..... tls { private_key_password = "A key" private_key_file = ${certdir}/UoY/radsec-certs/radsecyorkacuk.key # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. # # If ca_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. # File contents = cp cert.pem certAndCAs.peml;cat radsecIntermediateCA.pem>>certAndCAs.pem; # cat radsecRootCA>>certAndCAs.pem certificate_file = ${certdir}/UoY/radsec-certs/certAndCAs.pem # Trusted Root CA list # # ALL of the CA's in this list will be trusted # to issue client certificates for authentication. # # In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate. # # This parameter is used only for EAP-TLS, # when you issue client certificates. If you do # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. #ca_file = ${cadir}/UoY/radsec-certs/radsecRoot.pem dh_file = ${certdir}/dh fragment_size = 8192 cipher_list = "DEFAULT" cache { lifetime = 24 } require_client_cert = yes } } clients radsec { client dn0.sharaz.info { ipv6addr = 2a01:348:6:59d::2 proto = tls secret = radsec } ..... When I run eapol_test , on the receiving server I get Fri Dec 9 10:49:55 2016 : Debug: ... new connection request on TCP socket Fri Dec 9 10:49:55 2016 : Debug: Listening on auth+acct from client (2a01:348:6:59d::2, 60616) -> (::, 2083, virtual-server=eduroam) Fri Dec 9 10:49:55 2016 : Debug: Waking up in 0.4 seconds. Fri Dec 9 10:49:55 2016 : Debug: (0) Initiating new EAP-TLS session Fri Dec 9 10:49:55 2016 : Debug: (0) Setting verify mode to require certificate from client Fri Dec 9 10:49:55 2016 : Debug: (0) Reading from socket 18 READ FROM SSL 291 00: 16 03 01 01 1e 01 00 01 1a 03 03 28 e9 b0 c4 4e ..... Fri Dec 9 10:49:55 2016 : Debug: (0) (other): before/accept initialization Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: before/accept initialization Fri Dec 9 10:49:55 2016 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0 Fri Dec 9 10:49:55 2016 : Debug: (0) <<< recv TLS 1.2 [length 011e] Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: unknown state Fri Dec 9 10:49:55 2016 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0 Fri Dec 9 10:49:55 2016 : Debug: (0) >>> send TLS 1.2 [length 003e] Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: unknown state Fri Dec 9 10:49:55 2016 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0 Fri Dec 9 10:49:55 2016 : Debug: (0) >>> send TLS 1.2 [length 0fb3] Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: unknown state Fri Dec 9 10:49:55 2016 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0 Fri Dec 9 10:49:55 2016 : Debug: (0) >>> send TLS 1.2 [length 014d] Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: unknown state Fri Dec 9 10:49:55 2016 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0 Fri Dec 9 10:49:55 2016 : Debug: (0) >>> send TLS 1.2 [length 002e] Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: unknown state Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: unknown state Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: Need to read more data: unknown state Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_accept: Need to read more data: unknown state Fri Dec 9 10:49:55 2016 : Debug: (0) In SSL Handshake Phase Fri Dec 9 10:49:55 2016 : Debug: (0) In SSL Accept mode Fri Dec 9 10:49:55 2016 : Debug: (0) Writing to socket 18 Fri Dec 9 10:49:55 2016 : Debug: Waking up in 0.4 seconds. READ FROM SSL 7 00: 15 03 03 00 02 02 30 Fri Dec 9 10:49:55 2016 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0 Fri Dec 9 10:49:55 2016 : Debug: (0) <<< recv TLS 1.2 [length 0002] Fri Dec 9 10:49:55 2016 : ERROR: (0) TLS Alert read:fatal:unknown CA Fri Dec 9 10:49:55 2016 : ERROR: (0) TLS_accept: Failed in unknown state Fri Dec 9 10:49:55 2016 : ERROR: (0) Failed in __FUNCTION__ (SSL_read) Fri Dec 9 10:49:55 2016 : ERROR: (0) s3_pkt.c[1472]:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca Fri Dec 9 10:49:55 2016 : ERROR: (0) s3_pkt.c[1210]:error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure Fri Dec 9 10:49:55 2016 : ERROR: (0) System call (I/O) error (-1) Fri Dec 9 10:49:55 2016 : Debug: (0) FAILED in TLS handshake receive Fri Dec 9 10:49:55 2016 : Debug: Closing TLS socket from client port 60616 Fri Dec 9 10:49:55 2016 : Debug: Client has closed connection Fri Dec 9 10:49:55 2016 : Info: ... shutting down socket auth+acct from client (2a01:348:6:59d::2, 60616) -> (::, 2083, virtual-server=eduroam) Fri Dec 9 10:49:55 2016 : Debug: Waking up in 2.9 seconds. On the sending server it says Fri Dec 9 10:49:55 2016 : Debug: (4) proxy: Trying to allocate ID (0/2) Fri Dec 9 10:49:55 2016 : Debug: (4) proxy: Trying to open a new listener to the home server Fri Dec 9 10:49:55 2016 : Debug: Trying SSL to port 2083 Fri Dec 9 10:49:55 2016 : Debug: Requiring Server certificate Fri Dec 9 10:49:55 2016 : Debug: (0) (other): before/connect initialization Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_connect: before/connect initialization Fri Dec 9 10:49:55 2016 : Debug: (0) >>> send TLS 1.2 [length 011e] Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_connect: unknown state Fri Dec 9 10:49:55 2016 : Debug: (0) <<< recv TLS 1.2 [length 003e] Fri Dec 9 10:49:55 2016 : Debug: (0) TLS_connect: SSLv3 read server hello A Fri Dec 9 10:49:55 2016 : Debug: (0) <<< recv TLS 1.2 [length 0fb3] Fri Dec 9 10:49:55 2016 : Debug: (0) Creating attributes from certificate OIDs Fri Dec 9 10:49:55 2016 : ERROR: (0) SSL says error 19 : self signed certificate in certificate chain Fri Dec 9 10:49:55 2016 : Debug: (0) >>> send TLS 1.2 [length 0002] Fri Dec 9 10:49:55 2016 : ERROR: (0) TLS Alert write:fatal:unknown CA Fri Dec 9 10:49:55 2016 : Error: tls: TLS_connect: Error in SSLv3 read server certificate B Fri Dec 9 10:49:55 2016 : Error: tls: TLS_connect: Error in SSLv3 read server certificate B Fri Dec 9 10:49:55 2016 : Error: tls: Failed in __FUNCTION__ (SSL_connect): s3_clnt.c[1186]:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Fri Dec 9 10:49:55 2016 : Error: tls: System call (I/O) error (-1) Fri Dec 9 10:49:55 2016 : Error: Failed starting SSL to new proxy socket 'proxy (::, 0) -> home_server (2a03:b0c0:1:a1::a9f:8001, 2083)' Fri Dec 9 10:49:55 2016 : Proxy: (4) Failed to insert request into the proxy list
On Dec 9, 2016, at 6:10 AM, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
o.k back to 3.0\ Fri Dec 9 10:49:55 2016 : Debug: (0) <<< recv TLS 1.2 [length 0002] Fri Dec 9 10:49:55 2016 : ERROR: (0) TLS Alert read:fatal:unknown CA
That seems important.
Fri Dec 9 10:49:55 2016 : Debug: (0) Creating attributes from certificate OIDs Fri Dec 9 10:49:55 2016 : ERROR: (0) SSL says error 19 : self signed certificate in certificate chain Fri Dec 9 10:49:55 2016 : Debug: (0) >>> send TLS 1.2 [length 0002] Fri Dec 9 10:49:55 2016 : ERROR: (0) TLS Alert write:fatal:unknown CA
And that seems important. Your certificates aren't configured correctly. Alan DeKok.
That's what I thought as well. Configured 1 file with cert + intermediate CA + root ca in that order, using it at each end A On 9 December 2016 at 15:18, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 9, 2016, at 6:10 AM, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
o.k back to 3.0\ Fri Dec 9 10:49:55 2016 : Debug: (0) <<< recv TLS 1.2 [length 0002] Fri Dec 9 10:49:55 2016 : ERROR: (0) TLS Alert read:fatal:unknown CA
That seems important.
Fri Dec 9 10:49:55 2016 : Debug: (0) Creating attributes from certificate OIDs Fri Dec 9 10:49:55 2016 : ERROR: (0) SSL says error 19 : self signed certificate in certificate chain Fri Dec 9 10:49:55 2016 : Debug: (0) >>> send TLS 1.2 [length 0002] Fri Dec 9 10:49:55 2016 : ERROR: (0) TLS Alert write:fatal:unknown CA
And that seems important.
Your certificates aren't configured correctly.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
As you said, must be something to do with how certs configured ... can't see it yet though On 9 December 2016 at 15:46, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
That's what I thought as well. Configured 1 file with cert + intermediate CA + root ca in that order, using it at each end A
On 9 December 2016 at 15:18, Alan DeKok <aland@deployingradius.com> wrote:
On Dec 9, 2016, at 6:10 AM, Alex Sharaz <alex.sharaz@york.ac.uk> wrote:
o.k back to 3.0\ Fri Dec 9 10:49:55 2016 : Debug: (0) <<< recv TLS 1.2 [length 0002] Fri Dec 9 10:49:55 2016 : ERROR: (0) TLS Alert read:fatal:unknown CA
That seems important.
Fri Dec 9 10:49:55 2016 : Debug: (0) Creating attributes from certificate OIDs Fri Dec 9 10:49:55 2016 : ERROR: (0) SSL says error 19 : self signed certificate in certificate chain Fri Dec 9 10:49:55 2016 : Debug: (0) >>> send TLS 1.2 [length 0002] Fri Dec 9 10:49:55 2016 : ERROR: (0) TLS Alert write:fatal:unknown CA
And that seems important.
Your certificates aren't configured correctly.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
participants (2)
-
Alan DeKok -
Alex Sharaz