Problem with EAP-TLS and certificate
Hi, I am a newbie to Freeradius and I am having a real hard time to implement EAP-TLS using self-signed certificate. My certificate seems valid: Server Certificate [root@localhost CA]# openssl verify -CAfile /etc/pki/CA/cacert.pem xplab.pem xplab.pem: OK Client certificate [root@localhost CA]# openssl verify -CAfile /etc/pki/CA/cacert.pem bob.pem bob.pem: OK When I run [root@localhost CA]# eapol_test -c /opt/EAP-RADIUS/eap-tls.conf -s testing123, I have the following results: EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): cf cd 8c f0 17 49 11 13 d6 7d fe cb b1 65 00 1d 85 c2 ef a5 33 35 78 00 b8 a1 0a 9d 02 4b 06 45 EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 1 mismatch: 0 SUCCESS using the following eap-tls.conf # eapol_test -c eap-tls.conf -s testing123 # network={ key_mgmt=IEEE8021X eap=TLS eapol_flags=0 eap_workaround=0 identity="bob" ca_cert="/etc/pki/CA/cacert.pem" client_cert="/etc/pki/CA/bob.der" private_key="/etc/pki/CA/bob.key" private_key_passwd="abc123" # # Uncomment the following to perform server certificate validation. ca_cert="/etc/pki/CA/cacert.pem" } My problem is the following error message when running eapol_test TLS: Trusted root certificate(s) loaded OpenSSL: SSL_use_certificate_file (DER) --> OK OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK SSL: Private key loaded successfully CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected I would like to know if this means that my certificates are not valid even if the eapol_test seems successful. I was not able to find any information on the meaning of these messages. These messages are similar to what I have when I run the wpa_supplicant from my client machine. Since I am not able to authenticate from wpa_supplicant (failed to private key), I think that it might be possible that the certificate are wrong. wpa_supplicant.conf ap_scan=0 network={ key_mgmt=WPA-EAP eap=TLS identity="bob" ca_cert="/etc/ssl/demoCA/cacert.pem" client_cert="/etc/ssl/demoCA/certs/bob.pem" private_key="/etc/ssl/demoCA/private/bob.key" private_key_passwd="abc123" eapol_flags=0 } wpa_supplicant -c /etc/wpa_supplicant.conf -D wired -i br0 CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib OpenSSL: pending error: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error OpenSSL: pending error: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error OpenSSL: pending error: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib OpenSSL: pending error: error:140CB009:SSL routines:SSL_use_PrivateKey_file:PEM lib OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: Failed to load private key Thanks for your help Stephane
Stephane Brodeur wrote:
I am a newbie to Freeradius and I am having a real hard time to implement EAP-TLS using self-signed certificate.
Why? The server comes with scripts that create self-signed certs. See raddb/certs. If you search google for "freeradius eap-tls howto", the first link is this: http://freeradius.org/doc/EAPTLS.pdf
[root@localhost CA]# eapol_test -c /opt/EAP-RADIUS/eap-tls.conf -s testing123, I have the following results:
Ask the wpa_supplicant people how their software works. This is the *freeradius* list.
My problem is the following error message when running eapol_test
TLS: Trusted root certificate(s) loaded OpenSSL: SSL_use_certificate_file (DER) --> OK OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
Well... the certificate is wrong. If you had use the generation scripts in raddb/certs, you wouldn't have this problem. See also http://deployingradius.com/, which contains *detailed* instructions for getting EAP to work. Alan DeKok.
On Sun, Jun 17, 2012 at 11:07:31PM -0400, Stephane Brodeur wrote:
My problem is the following error message when running eapol_test
TLS: Trusted root certificate(s) loaded OpenSSL: SSL_use_certificate_file (DER) --> OK OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK SSL: Private key loaded successfully CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
I think this is just OpenSSL trying to read the private key file in DER format, failing, and then trying again in PEM format and succeeding. I get very similar with the example certificates generated with v2.1.12 as they are all in PEM format - it tries DER first and fails.
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib OpenSSL: pending error: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error OpenSSL: pending error: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error OpenSSL: pending error: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib OpenSSL: pending error: error:140CB009:SSL routines:SSL_use_PrivateKey_file:PEM lib OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: Failed to load private key
At a complete guess, that looks like it's trying to load the private key in every format it can, but failing to understand any of them. There's generally not a problem with FreeRADIUS and wpa_supplicant (or eapol_test), so check your certificates. Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
Alan DeKok -
Matthew Newton -
Stephane Brodeur