FW: OCSP Error: "Couldn't get issuer_cert" with EAP-TLS
Hi Be really grateful for some assistance in this setup: 1. FreeRadius 3.0.16 running on Ubuntu 18.04 LTS 2. I have enabled EAP-TLS and have this working. The certificates (CA, Server, Client) have been created and imported from Microsoft CA server. 3. I have copied the CA certificate to /etc/freeradius/3.0/certs/root.pem and the server certificate / private key to /etc/freeradius/3.0/certs/radcert.pem 4. My eap module config looks like: tls-config tls-common { private_key_password = <password> private_key_file = /etc/freeradius/3.0/certs/radcert.pem certificate_file = /etc/freeradius/3.0/certs/radcert.pem ca_file = /etc/freeradius/3.0/certs/root.pem dh_file = ${certdir}/dh ca_path = ${cadir} cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" ocsp { enable = yes override_cert_url = yes". url = "http://<IP address>/ocsp<http://%3cIP%20address%3e/ocsp>" timeout = 0 } } Without OCSP enabled, everything works. I can authenticate from a Wireless Access Point using a client certificate and EAP-TLS. I have configured OCSP in my Microsoft PKI environment and confirmed it works using the inbuilt Microsoft tools and OCSP Responder. I can use the URL listed above "http://<IP address>/ocsp<http://%3cIP%20address%3e/ocsp>" to check the certificate validity outside of FreeRadius. When I enable OSCP on FreeRadius, I receive an error message on client authentication "Could not get issuer_cert". FreeRADIUS doesn't attempt to query the OCSP URL (confirmed by packet capture). I have run FreeRadius in debug mode, where I see the message. "BARRYE540.intrinsic-comms.co.uk" is the CN of the client side certificate. "/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA" is my CA. This is the certificate in the file /etc/freeradius/3.0/certs/root.pem This CA signed both my server certificate, and also the client certificate. (6) authenticate { (6) eap: Expiring EAP session with state 0xbe16c925bb1ec429 (6) eap: Finished EAP session with state 0xbe16c925bb1ec429 (6) eap: Previous EAP request found for state 0xbe16c925bb1ec429, released from the list (6) eap: Peer sent packet with method EAP TLS (13) (6) eap: Calling submodule eap_tls to process data (6) eap_tls: Continuing EAP-TLS (6) eap_tls: Got final TLS record fragment (430 bytes) (6) eap_tls: [eaptls verify] = ok (6) eap_tls: Done initial handshake (6) eap_tls: TLS_accept: SSLv3/TLS write server done (6) eap_tls: <<< recv TLS 1.0 Handshake [length 05ec], Certificate (6) eap_tls: Creating attributes from certificate OIDs (6) eap_tls: TLS-Cert-Serial := "65af3f02a6ec65a44c0e7514e4264d26" (6) eap_tls: TLS-Cert-Expiration := "210606133907Z" (6) eap_tls: TLS-Cert-Subject := "/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA" (6) eap_tls: TLS-Cert-Issuer := "/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA" (6) eap_tls: TLS-Cert-Common-Name := "intrinsic-comms-INTRINSIC-DC1-CA" (6) eap_tls: Creating attributes from certificate OIDs (6) eap_tls: TLS-Client-Cert-Serial := "61ab3a63000000000024" (6) eap_tls: TLS-Client-Cert-Expiration := "210311124806Z" (6) eap_tls: TLS-Client-Cert-Subject := "/CN=BARRYE540.intrinsic-comms.co.uk" (6) eap_tls: TLS-Client-Cert-Issuer := "/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA" (6) eap_tls: TLS-Client-Cert-Common-Name := "BARRYE540.intrinsic-comms.co.uk" (6) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "BARRYE540.intrinsic-comms.co.uk" (6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, TLS Web Server Authentication" (6) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "92:B0:76:E0:FF:A4:21:CA:90:86:5D:ED:30:95:76:ED:1B:39:7C:3C" (6) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:6E:8C:54:CC:71:53:48:A7:7B:C7:56:CA:9F:BA:B2:00:D0:D0:B0:4D\n" (6) eap_tls: Starting OCSP Request (6) eap_tls: ERROR: Couldn't get issuer_cert for BARRYE540.intrinsic-comms.co.uk (6) eap_tls: TLS_accept: SSLv3/TLS read client certificate (6) eap_tls: <<< recv TLS 1.0 Handshake [length 0046], ClientKeyExchange (6) eap_tls: TLS_accept: SSLv3/TLS read client key exchange (6) eap_tls: <<< recv TLS 1.0 Handshake [length 0106], CertificateVerify (6) eap_tls: TLS_accept: SSLv3/TLS read certificate verify (6) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec (6) eap_tls: <<< recv TLS 1.0 Handshake [length 0010], Finished (6) eap_tls: TLS_accept: SSLv3/TLS read finished (6) eap_tls: >>> send TLS 1.0 ChangeCipherSpec [length 0001] (6) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec (6) eap_tls: >>> send TLS 1.0 Handshake [length 0010], Finished (6) eap_tls: TLS_accept: SSLv3/TLS write finished (6) eap_tls: (other): SSL negotiation finished successfully (6) eap_tls: SSL Connection Established (6) eap_tls: [eaptls process] = handled (6) eap: Sending EAP Request (code 1) ID 9 length 69 (6) eap: EAP session adding &reply:State = 0xbe16c925b81fc429 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 56 from 10.1.201.131:1812 to 10.1.200.5:1645 length 0 (6) EAP-Message = 0x010900450d800000003b14030100010116030100300d1b86144514486ac8365c982b727cc67cc948850c735a28a07e93f2 b24bf4b0858e5ac5677c48fbcb1293e30098f482 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0xbe16c925b81fc4295f491b5eb49b13aa (6) Finished request If there are any other further debugs or outputs that would assist, please let me know. Thanks.
On Mar 11, 2020, at 10:32 AM, Barry Hesk <bhesk@hotmail.com> wrote:
Be really grateful for some assistance in this setup:
1. FreeRadius 3.0.16 running on Ubuntu 18.04 LTS
2. I have enabled EAP-TLS and have this working. The certificates (CA, Server, Client) have been created and imported from Microsoft CA server.
3. I have copied the CA certificate to /etc/freeradius/3.0/certs/root.pem and the server certificate / private key to /etc/freeradius/3.0/certs/radcert.pem
That should work for EAP. But... OpenSSL does magic internally with certificate chains. It doesn't always make sense. We have some code in FreeRADIUS to make OpenSSL *stop* doing crazy things. :(
Without OCSP enabled, everything works. I can authenticate from a Wireless Access Point using a client certificate and EAP-TLS.
That's good.
I have configured OCSP in my Microsoft PKI environment and confirmed it works using the inbuilt Microsoft tools and OCSP Responder. I can use the URL listed above ... to check the certificate validity outside of FreeRadius.
When I enable OSCP on FreeRadius, I receive an error message on client authentication "Could not get issuer_cert". FreeRADIUS doesn't attempt to query the OCSP URL (confirmed by packet capture). I have run FreeRadius in debug mode, where I see the message. "BARRYE540.intrinsic-comms.co.uk" is the CN of the client side certificate.
"/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA" is my CA. This is the certificate in the file /etc/freeradius/3.0/certs/root.pem
This CA signed both my server certificate, and also the client certificate.
My guess is that OpenSSL is unable to properly form the certificate chain. Update the "certs/radcert.pem" file to include the CA cert, followed by the server cert. Then, don't use ca_file. The hope is that OpenSSL will then be able to find the root CA, and then use it to do OCSP for the client cert. OpenSSL is wonderful in that it implements TLS. And TLS is horribly complex. But.... OpenSSL isn't easy to use. Alan DeKok.
Hi Alan Thanks very much for your response. I've been doing a lot more testing, but still having problems. The issue does seem to be with openssl as I get exactly the same issues if I use the openssl ocsp check directly.
My guess is that OpenSSL is unable to properly form the certificate chain. Update the "certs/radcert.pem" file to include the CA cert, followed by the server cert. Then, don't use ca_file.
The hope is that OpenSSL will then be able to find the root CA, and then use it to do OCSP for the client cert.
Tried this in various combinations. I can change the error messages I receive, but can't get it to work :-) - Created an unencrypted pem file containing both the CA and Server cert (Server 1st, CA 2nd) - created an encrypted pem with the server private key. - In freedradius, pointed certificate_file at the combined unencrypted file and at the private key with the relevant password. Removed "ca_file" directive. "/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA" is my CA certificate which is in the combined PEM file. FreeRadius starts ok, however can’t validate any certificates. (17) eap_tls: Creating attributes from certificate OIDs (17) eap_tls: TLS-Client-Cert-Serial := "61ab3a63000000000024" (17) eap_tls: TLS-Client-Cert-Expiration := "210311124806Z" (17) eap_tls: TLS-Client-Cert-Subject := "/CN=BARRYE540.intrinsic-comms.co.uk" (17) eap_tls: TLS-Client-Cert-Issuer := "/DC=uk/DC=co/DC=intrinsic-comms/CN=intrinsic-comms-INTRINSIC-DC1-CA" (17) eap_tls: TLS-Client-Cert-Common-Name := "BARRYE540.intrinsic-comms.co.uk" (17) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "BARRYE540.intrinsic-comms.co.uk" 17) eap_tls: ERROR: SSL says error 20 : unable to get local issuer certificate (17) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal unknown_ca (17) eap_tls: ERROR: TLS Alert write:fatal:unknown CA tls: TLS_accept: Error in error (17) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed (17) eap_tls: ERROR: System call (I/O) error (-1) (17) eap_tls: ERROR: TLS receive handshake failed during operation (17) eap_tls: ERROR: [eaptls process] = fail (17) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed - Reinstated the "ca_file" directive - which is the identical certificate (CA only) in the combined CA/Server pem file. I can now validate certificates again, but ocsp fails in the same way as previously. - created an encrypted file containing server, CA, and private key. Fails in an identical way. If "ca_file" not configured, it totally fails. If "ca_file" is present, it validates the client certificate ok, but oscp fails. If "ca_file" is removed all validation fails. - swapped the order in my combined PEM file - putting the CA certificate 1st and the server certificate 2nd. FreeRADIUS refuses to start saying the private key (which is my server private key) doesn't match. Loads of fun :-) I have a workaround - which is to copy the CRL files off my CA onto my FreeRadius server, convert them to the right format using openssl and then use "openssl verify" to do the CRL check. This does work however kind of defeats the point; I was trying to get OCSP to replace CRLs... Thanks again for your suggestions to this point. Barry -----Original Message-----
On Mar 13, 2020, at 10:24 AM, Barry Hesk <bhesk@hotmail.com> wrote:
Thanks very much for your response. I've been doing a lot more testing, but still having problems. The issue does seem to be with openssl as I get exactly the same issues if I use the openssl ocsp check directly.
OK. Then there's nothing FreeRADIUS can do. :( We will *not* be implemented TLS ourselves. It's crazy complicated. Alan DeKok.
Hi Alan
OK. Then there's nothing FreeRADIUS can do. :(
We will *not* be implemented TLS ourselves. It's crazy complicated.
Yes, agreed. I'm going to study quantum / string theory instead. It's easier :-) I will keep testing. If I do get it working, I'll post with a solution. Thanks. Barry
participants (2)
-
Alan DeKok -
Barry Hesk