Problem setting up EAP-TLS with hostap
Hi I am having a problem that appears to be similar to http://freeradius.1045715.n5.nabble.com/suddenly-problem-with-certificates-e... but the solution there didn't work. I have configured hostap to use radius on a free radius server running locally. I am trying to use certificates for authentication. To test this I am using a stock android device, with the certicates generated from /etc/raddb/certs directory. The certs are installed on android and they appear to be correct. I have installed both the CA certificate and the client certififate on the device. When I run freeradius with the -X option I get the following log. I though that it might have been a fragmentation problem so I set fragmentation to 1024 in both hostapd and freeradius but I still get the same error. Cheers Chris
Hi That thread was due to an issue caused by the live CA file being blatted and updated with a new one. The CA and client certs created by that are more of a utility than something you'd probably want to use in production. They are great for creating some quick certs for testing but a live system would really really want to think about having a proper PKI and CR system in place and understand requirements of running a CA I haven't read your log yet but it could be related to the TYPE of CA you're trying to use with Android or that you haven't installed the CA onto the client Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Chris Anderson wrote:
When I run freeradius with the -X option I get the following log
Attaching it in-line or as a ".txt" file would have been friendlier. Anyways, the key lines are: [tls] <<< TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert read:fatal:decrypt error TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error Your certificates / CA don't match. SSL isn't magic, but it fragile. Follow the instructions on my web site: http://deployingradius.com/ Once you have it working with test certificates, then follow the *same* procedure with real certificates. It *will* work. The only way to keep SSL happy is a careful application of procedure. If you skip a step, then the certificate chain doesn't make sense to SSL, and it will fail. Alan DeKok.
Thank you all. I got it working but using the certificates that I have for openvpn. The strange thing is that when you actually do a dump of the key using the build system (Makefiles and cnf) in the gentoo /etc/raddb/certs directory the length is zero. There doesn't appear to be a key in there. But all I needed to know was that I was heading in the right direction. Kind regards Chris 12.01.2014, 13:12, "Alan DeKok" <aland@deployingradius.com>:
Chris Anderson wrote:
When I run freeradius with the -X option I get the following log
Attaching it in-line or as a ".txt" file would have been friendlier.
Anyways, the key lines are:
[tls] <<< TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert read:fatal:decrypt error TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
Your certificates / CA don't match. SSL isn't magic, but it fragile.
Follow the instructions on my web site: http://deployingradius.com/
Once you have it working with test certificates, then follow the *same* procedure with real certificates. It *will* work.
The only way to keep SSL happy is a careful application of procedure. If you skip a step, then the certificate chain doesn't make sense to SSL, and it will fail.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan Buxey -
Alan DeKok -
Chris Anderson