Hello I have SLES 11 SP1(64bit), freeradius 2.1.12 and openssl 0.9.8r. I set up authentication with EAP/TLS. Server and client certificates are valid until 3011 year. Here they are: Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 5 07:05:02 2011 GMT Not After : Apr 7 07:05:02 3011 GMT Subject: countryName = AU stateOrProvinceName = Some-State organizationName = Internet Widgits Pty Ltd commonName = Root X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Apr 7 07:05:02 3011 GMT (365000 days) Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Dec 5 07:06:57 2011 GMT Not After : Apr 7 07:06:57 3011 GMT Subject: countryName = AU stateOrProvinceName = Some-State organizationName = Internet Widgits Pty Ltd commonName = testuser X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication Certificate is to be certified until Apr 7 07:06:57 3011 GMT (365000 days) Now client like authentication is successful. About this show freeradius: Login OK: [host/testuser] (from client private-network port 33566721 cli 0022-15ef-ab87) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 67 to 10.2.2.240 port 5002 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "3" MS-MPPE-Recv-Key = 0xca7449798f0f957fe8e03542d1b9a5ef6291756644f4e392a60f078a3c858cba MS-MPPE-Send-Key = 0xcfffb577e162ba2111b253f1f969e46e39521626f4669704e367502640f368a7 EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "host/testuser" Finished request 3. After that, I wanted to check as to be the case in 2050, as we recall certificates are valid until 3011. Set the time on the server freeradius August 1, 2050 (01/08/2050) and the same thing on a client running on Windows XP SP3. Authentication fails (slightly below records cite the radius). I have a question for all who can help, this is the mistake of freeradius, which can not correctly identify the validity of the certificate. Or somewhere I made a mistake when setting up. Maybe this one is already experienced. I'll be glad for your help. test#radiusd -X .................. rad_recv: Access-Request packet from host 10.2.2.240 port 5002, id=68, length=221 User-Name = "host/testuser" EAP-Message = 0x0202001201686f73742f7465737475736572 Message-Authenticator = 0xe394bda2df7b6ff808bd0079cb5620cd NAS-IP-Address = 10.2.2.240 NAS-Identifier = "001ac1d4d442" NAS-Port = 33566721 NAS-Port-Id = "unit=2;subslot=0;port=3;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0022-15ef-ab87" H3C-Connect_Id = 18 H3C-Product-ID = "5500-EI" H3C-Ip-Host-Addr = "0.0.0.0 00:22:15:ef:ab:87" H3C-NAS-Startup-Timestamp = 954640520 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 152 [files] users: Matched entry host/testuser at line 234 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 68 to 10.2.2.240 port 5002 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "3" EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x905a520890595f1e7244e69c58c3b630 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.2.2.240 port 5002, id=69, length=301 User-Name = "host/testuser" EAP-Message = 0x020300500d800000004616030100410100003d030198387b2b15bc66925793a2b08aec38827730edb90a98238b1f8967ad5b0e5a3000001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x57f352efbff4566bed7422e481a95c1e NAS-IP-Address = 10.2.2.240 NAS-Identifier = "001ac1d4d442" NAS-Port = 33566721 NAS-Port-Id = "unit=2;subslot=0;port=3;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0022-15ef-ab87" State = 0x905a520890595f1e7244e69c58c3b630 H3C-Connect_Id = 18 H3C-Product-ID = "5500-EI" H3C-Ip-Host-Addr = "0.0.0.0 00:22:15:ef:ab:87" H3C-NAS-Startup-Timestamp = 954640520 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 152 [files] users: Matched entry host/testuser at line 234 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0245], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 0066], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 69 to 10.2.2.240 port 5002 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "3" EAP-Message = 0x010402ee0d80000002e4160301002a02000026030198387b5ccef9ea8b00a2b87027963d9f59eccbf3df96bfb208b4fb2072f06cd10000040016030102450b00024100023e00023b30820237308201a0a003020102020101300d06092a864886f70d01010505003054310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464310d300b06035504031304526f6f743020170d3131313230353037303530325a180f33303131303430373037303530325a3054310b3009060355040613024155311330110603550408130a536f6d65 EAP-Message = 0x2d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464310d300b06035504031304526f6f7430819f300d06092a864886f70d010101050003818d0030818902818100e3bd7f6d0226d923d61f85542cd081e2a78a647855b252a3796b624daf45cc8e7d2ce664942d507fdd60bb8bfcf4b439122a7cf5607957e25439b3df92a56bbab3f6ead61042869e1beee05acfc3a5b338e5cc847ce2e4c09d3b8122569bbdbb93939502bbd9c7fc8efe1af165aaca423562729433f8c94466df2742c6dcc56d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d EAP-Message = 0x010105050003818100ae145995a7db51de5488b35bb51c8cd9cb38be974572fb10989e2bfd5e8d2bcb1fac78a393e2b1afcb23a7436194078d4c246ae4c2f2823a2cfb586dbb1ba181887761f3eb2e4ee93fda19ed3b461af1f1dd49040462f574913234446b52d926f9680dca83626fc6deb048ce1d8cd1ef09b6cf42464bfc2dda2534ded1aec5ae16030100660d00005e03010240005800563054310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464310d300b06035504031304526f6f740e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x905a5208915e5f1e7244e69c58c3b630 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.2.2.240 port 5002, id=70, length=1138 User-Name = "host/testuser" EAP-Message = 0x0204038f0d800000038516030103550b00024500024200023f3082023b308201a4a003020102020102300d06092a864886f70d01010505003054310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464310d300b06035504031304526f6f743020170d3131313230353037303635375a180f33303131303430373037303635375a3058310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c74643111300f0603 EAP-Message = 0x5504031308746573747573657230819f300d06092a864886f70d010101050003818d0030818902818100e4991040e15c9024ae083463fd6e2d09f46ca74e3cbeadd978f2e41ddb724e19ad31a9992e8da760d4892efaf9aeeff0c3331935020138485f7d48e625c4e57e55de639f131144c4e57fa7392f963ac719cf79d8dec0aa13254a8593022cb0004e58377ac8e2deaeb543b412a4ec96f955a30efab73e08cb7a825c9a6ec871af0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d01010505000381810057827d8957a1782f450852803827b2e739cf5d7f85aac9a851467b4f8f2e2925c80d EAP-Message = 0xe075839d54a9b794e8a57a46750d932ae08a9c5b459d612dbd3153917da9f59dd493035382d696b1ecdcf1d867b55bdead570bd2417bd73c9c25b97d059c0579010da85edea51153830e4f4ce739ad361840198a7fefb1a68f328760ae561000008200807e2f5d813d13b4d0b4a37a400aa4047bd80f48b2239421304e8e87ddd9f1e8346ce680c7d965d83b6b11dcd1d6630ef0558f98c7323fe944aa024b8a51bd3ee5d376abb52df677e950eac9264435d027cc10e852107936a47fa622da0dfd575fcc48d095a931b544e6a9807dbfea859060cf28aa77eee6b66f20f94b9f183b620f00008200801f56d252999ca4dace4dd3653ab3ba1d2b232a EAP-Message = 0x126b781576b298652220ea7135e389b908c5e792fc316c3932836c317527278ba5682d5f22b86671f4bec52015f513402f6dfe9c371dbc245b8a563c87b1a3ea5589ecd20814e4e8aeee29c6832ebad011afc6040b85e4e2ec2b2ece9acdefa78e9f3c533f9ad13f104a7d5fa81403010001011603010020484dad944f3d7e14256da2f4be5641b0e3e094b3bbd20f973f13f4c081a6fddb Message-Authenticator = 0xc43e468dd06dc0a9bc0a93893dbd14a5 NAS-IP-Address = 10.2.2.240 NAS-Identifier = "001ac1d4d442" NAS-Port = 33566721 NAS-Port-Id = "unit=2;subslot=0;port=3;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0022-15ef-ab87" State = 0x905a5208915e5f1e7244e69c58c3b630 H3C-Connect_Id = 18 H3C-Product-ID = "5500-EI" H3C-Ip-Host-Addr = "0.0.0.0 00:22:15:ef:ab:87" H3C-NAS-Startup-Timestamp = 954640520 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 152 [files] users: Matched entry host/testuser at line 234 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 901 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 0249], Certificate --> verify error:num=9:certificate is not yet valid [tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert write:fatal:bad certificate TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect (certificate is not yet valid): [host/testuser] (from client private-network port 33566721 cli 0022-15ef-ab87) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 70 to 10.2.2.240 port 5002 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 68 with timestamp +11 Cleaning up request 1 ID 69 with timestamp +11 Waking up in 1.0 seconds. Cleaning up request 2 ID 70 with timestamp +11 Ready to process requests.
On 12/05/2011 08:25 AM, Victor Guk wrote:
[tls] <<< TLS 1.0 Handshake [length 0249], Certificate --> verify error:num=9:certificate is not yet valid [tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert write:fatal:bad certificate
This error comes from within OpenSSL. FreeRADIUS just does what OpenSSL tells it. Can you verify the cert with the "openssl verify ..." test command? e.g. try this: openssl verify -CAfile ca.pem -purpose sslserver server.pem If this fails as well, then it's either a problem in OpenSSL or your system libraries with dates >2050. If it succeeds (which I doubt) then FreeRADIUS should work too. I sort of admire your effort to future-proof your certs though! ;o) Cheers, Phil
hi, why? really, why? wat purpose does testing these dates have - you really think your current infrastructure, and techologies such as 802.1X are going to be around in the same format in even 20 years time? anyway....I'm guessing these are 32 bit server and client OS ? you may find, in that case, that your tests will work until you set the date beyond 2037 - 32bit OS have problems with dates after 2038 so, try this with KNOWN parameters - eg 2020 , within the 2038 timeframe and things should work. alan
Hi,
why?
really, why? wat purpose does testing these dates have - you really think your current infrastructure, and techologies such as 802.1X are going to be around in the same format in even 20 years time?
To be honest, I'm thinking of a similar thing. Given how painful a CA rollover can be, I'm planning to rollover to a CA with validity "somewhere beyond Stefan's retirement date", which is unfortunately later than 2037. Given that the extra effort to extend the lifetime of a CA is *zero* (just enter a different date in openssl.cnf) and the pain to eventually stumble over an expiring CA is non-zero - I prefer to do the zero work. Of course things might change, my CA keys might get too short, and I might be forced to roll over anyway - there is at least a *chance* that I can prevent a need to rollover, and so I'll do it. 3011 is stretching it though, admitted. Stefan
anyway....I'm guessing these are 32 bit server and client OS ?
you may find, in that case, that your tests will work until you set the date beyond 2037 - 32bit OS have problems with dates after 2038
so, try this with KNOWN parameters - eg 2020 , within the 2038 timeframe and things should work.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473
participants (4)
-
Alan Buxey -
Phil Mayers -
Stefan Winter -
Victor Guk