EAP-TLS Authentication fails( TLS_accept: error in SSLv3 read client certificate B)
Hi, Could anybody help me about EAP-TLS authentication? I use freeradius-server-2.2.0 version, and openssl is installed and use glassfish. Configured eap.conf file (make default_eap_type = tls and update the tls certificate configs.) Then, created certificates via "bootstap", "make" and "make client" commands. Import them to glassfish with keytool: keytool -import -alias root -keystore keystore.jks -trustcacerts -file ca.der keytool -import -alias client -keystore keystore.jks -trustcacerts -file client.crt However, when I sent an eap-tls authentication request, I took following error: [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 0007], Certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure TLS Alert write:fatal:handshake failure TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type REJECT I read a lot about this issue, but I could not figure out what is missing. Thanks & Regards,
Esma Yalcinkaya wrote:
Then, created certificates via "bootstap", "make" and "make client" commands. Import them to glassfish with keytool:
Does glassfish do EAP?
However, when I sent an eap-tls authentication request, I took following error: ... TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
The end user system isn't sending over a client certificate.
I read a lot about this issue, but I could not figure out what is missing.
You'll have to debug the non-FreeRADIUS portion. It's the one which is causing the authentication to fail. See it's debugging logs for details. You may need to install the server cert on it, tho that shouldn't be necessary. Alan DeKok.
My application runs on glassfish server, so I import the cert files to keystore. Also tried to import cert files to cacerts directory(/java/jdk1.6.0_34/jre/lib/security/cacerts) but it did not work. I import the server.crt too, and try to authenticate now, but nothing has changed. I am continuing to debug the logs(server logs, freeradius logs etc). Let me ask a question, I am new at freeradius. Although this error occurs for SSLv3 read client certificate B, there is no error occurance for certificate A like below. [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A I did not unterstand this log, what does it mean "need to read more data"? Thanks, On Wed, Nov 27, 2013 at 4:24 PM, Alan DeKok <aland@deployingradius.com>wrote:
Esma Yalcinkaya wrote:
Then, created certificates via "bootstap", "make" and "make client" commands. Import them to glassfish with keytool:
Does glassfish do EAP?
However, when I sent an eap-tls authentication request, I took following error: ... TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
The end user system isn't sending over a client certificate.
I read a lot about this issue, but I could not figure out what is missing.
You'll have to debug the non-FreeRADIUS portion. It's the one which is causing the authentication to fail. See it's debugging logs for details.
You may need to install the server cert on it, tho that shouldn't be necessary.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 11/27/2013 10:15 AM, Esma Yalcinkaya wrote:
My application runs on glassfish server, so I import the cert files to keystore. Also tried to import cert files to cacerts directory(/java/jdk1.6.0_34/jre/lib/security/cacerts) but it did not work.
I import the server.crt too, and try to authenticate now, but nothing has changed.
I am continuing to debug the logs(server logs, freeradius logs etc).
Let me ask a question, I am new at freeradius. Although this error occurs for SSLv3 read client certificate B, there is no error occurance for certificate A like below.
[tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
I did not unterstand this log, what does it mean "need to read more data"?
It means exactly what Alan said below. Its waiting for the peer to send a client certificate. TLS works by performing a number of exchanges in what is called "handshaking". The handshake exchanges negotiate the type of TLS connection which is going to be established. Certificate exchange is part of the handshake process. A server certificate is always sent to the client so the client can validate the server. This is known as server only validation, the server does not care who the client is. But TLS is also capable of mutual authentication where the client must authenticate to the server as well so the server knows who the client is. This is the basis of eap-tls, it's using the client TLS validation as an authentication of the client. During the TLS handshake the server will send a request to the client saying "please send me your certificate". That's what is happening here, the server has made a request for a client cert and now it's waiting to read that response from the client. If that response does not arrive then this is not a FreeRADIUS issue, it's a problem with your eap-tls client.
> TLS_accept: error in SSLv3 read client certificate B > rlm_eap: SSL error error:140890C7:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
The end user system isn't sending over a client certificate.
-- John
Thanks for your replies. Not sure, maybe the problem is importing the client cert file via keytool. Because I create the Radius Client in code and send authentication request. I will look for how to set client cert file in my code. Thanks & Regards, On Wed, Nov 27, 2013 at 5:47 PM, John Dennis <jdennis@redhat.com> wrote:
On 11/27/2013 10:15 AM, Esma Yalcinkaya wrote:
My application runs on glassfish server, so I import the cert files to keystore. Also tried to import cert files to cacerts directory(/java/jdk1.6.0_34/jre/lib/security/cacerts) but it did not work.
I import the server.crt too, and try to authenticate now, but nothing has changed.
I am continuing to debug the logs(server logs, freeradius logs etc).
Let me ask a question, I am new at freeradius. Although this error occurs for SSLv3 read client certificate B, there is no error occurance for certificate A like below.
[tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
I did not unterstand this log, what does it mean "need to read more data"?
It means exactly what Alan said below. Its waiting for the peer to send a client certificate.
TLS works by performing a number of exchanges in what is called "handshaking". The handshake exchanges negotiate the type of TLS connection which is going to be established. Certificate exchange is part of the handshake process. A server certificate is always sent to the client so the client can validate the server. This is known as server only validation, the server does not care who the client is. But TLS is also capable of mutual authentication where the client must authenticate to the server as well so the server knows who the client is. This is the basis of eap-tls, it's using the client TLS validation as an authentication of the client. During the TLS handshake the server will send a request to the client saying "please send me your certificate". That's what is happening here, the server has made a request for a client cert and now it's waiting to read that response from the client. If that response does not arrive then this is not a FreeRADIUS issue, it's a problem with your eap-tls client.
> TLS_accept: error in SSLv3 read client certificate B > rlm_eap: SSL error error:140890C7:SSL > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
certificate
The end user system isn't sending over a client certificate.
-- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Esma Yalcinkaya -
John Dennis