TLS Alert read:fatal:internal error
I've strange problem with freeradius. It was working as expected and suddenly stopped authenticate wpa2-eap users to active directory. I've recreated whole VM with freeradius server without success. Same credentials work for ikev2 mschapv2 authentication but not for wireless wpa2-eap (android and windows clients). Am I missing something? Below debug log with error: (9) eap: Expiring EAP session with state 0x977b062a947f1f7c (9) eap: Finished EAP session with state 0x977b062a947f1f7c (9) eap: Previous EAP request found for state 0x977b062a947f1f7c, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: Peer indicated complete TLS record size will be 7 bytes (9) eap_peap: Got complete TLS record (7 bytes) (9) eap_peap: [eaptls verify] = length included (9) eap_peap: <<< recv TLS 1.2 [length 0002] (9) eap_peap: ERROR: TLS Alert read:fatal:internal error (9) eap_peap: TLS_accept: Need to read more data: error (9) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error (9) eap_peap: TLS - In Handshake Phase (9) eap_peap: TLS - Application data. (9) eap_peap: ERROR: TLS failed during operation (9) eap_peap: ERROR: [eaptls process] = fail (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 4 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> some_domain\\some_user (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated
On May 27, 2021, at 1:06 PM, Piotr Rudzki <ryba.lodz@gmail.com> wrote:
I've strange problem with freeradius. It was working as expected and suddenly stopped authenticate wpa2-eap users to active directory.
I've recreated whole VM with freeradius server without success.
Same credentials work for ikev2 mschapv2 authentication but not for wireless wpa2-eap (android and windows clients). Am I missing something? ... (9) eap_peap: <<< recv TLS 1.2 [length 0002] (9) eap_peap: ERROR: TLS Alert read:fatal:internal error (9) eap_peap: TLS_accept: Need to read more data: error (9) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
Try 3.0.22. It has much better error messages for TLS. But the errors are in the TLS layer. i.e. OpenSSL. It's very difficult for us to know what to do here. Alan DeKok.
I've managed to resolve problem. Client device to verify certificate needs domain listed in the server's certificate CN or SAN, but I've got only server's FQDN in CN and IP in SAN. When I pass FQDN as domain it work's as expected. czw., 27 maj 2021 o 21:18 Alan DeKok <aland@deployingradius.com> napisaĆ(a):
On May 27, 2021, at 1:06 PM, Piotr Rudzki <ryba.lodz@gmail.com> wrote:
I've strange problem with freeradius. It was working as expected and suddenly stopped authenticate wpa2-eap users to active directory.
I've recreated whole VM with freeradius server without success.
Same credentials work for ikev2 mschapv2 authentication but not for wireless wpa2-eap (android and windows clients). Am I missing something? ... (9) eap_peap: <<< recv TLS 1.2 [length 0002] (9) eap_peap: ERROR: TLS Alert read:fatal:internal error (9) eap_peap: TLS_accept: Need to read more data: error (9) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read):
error:14094438:SSL
routines:ssl3_read_bytes:tlsv1 alert internal error
Try 3.0.22. It has much better error messages for TLS.
But the errors are in the TLS layer. i.e. OpenSSL. It's very difficult for us to know what to do here.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On May 30, 2021, at 7:21 AM, Piotr Rudzki <ryba.lodz@gmail.com> wrote:
I've managed to resolve problem. Client device to verify certificate needs domain listed in the server's certificate CN or SAN, but I've got only server's FQDN in CN and IP in SAN. When I pass FQDN as domain it work's as expected.
Ah, OK. I suspect that the "internal" error is that you're running an older version of FreeRADIUS, which doesn't understand all of the newer OpenSSL errors. It should be better with 3.0.22. Alan DeKok.
participants (2)
-
Alan DeKok -
Piotr Rudzki