EAP-TLS failing after enabling crl_check
Hi All, I've been very successful at getting EAP-TLS functional, up to the point of actually getting the CRL check to work. A little background on my setup: EAP-TLS Functional WITHOUT check_crl CRL downloaded via http interface (windows2k) which is by default DER format. This is converted to PEM. CRL can be verified with" openssl crl -in crlfile.pem -text" -- This shows up perfectly, as expected, including the serial#s of certs that are revoked. I can verify every cert, view with openssl -text etc. All of the certs are legit and work fine for non-crl auth so I don't think there is anything wrong with my certs. I've converted the private/public/cacerts into .pfx and extracted individual certs, just the cacerts, tried various bundles, everything is smooth, but makes no difference. The CA is running on win2k3, openssl isn't used on the freeradius box as a CA. I run a perl script c_rehash to create the symbolic links as hashed names to the PEM certs (c_rehash even seems to 'know' the CRL file is a crl by making it whatever.r0) Also verified permissions (freeradius will fail anyways if permissions to the certs don't work). In short, I've tried everything I can think of and no matter what, once I enable crl_check, clients are rejected. Full error msg below, however, this is the initial error: [tls] <<< TLS 1.0 Handshake [length 1076], Certificate --> verify error:num=3:unable to get certificate CRL See my config below; Running radiusd -X -f Here is my config: certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = "blah" private_key_file = ${certdir}/ca/freeradius-priv.pem # If Private key & Certificate are located in # the same file, then private_key_file & # certificate_file must contain the same file # name. # # If CA_file (below) is not used, then the # certificate_file below MUST include not # only the server certificate, but ALSO all # of the CA certificates used to sign the # server certificate. certificate_file = ${certdir}/ca/freeradius-pub.pem # Trusted Root CA list # # ALL of the CA's in this list will be trusted # to issue client certificates for authentication. # # In general, you should use self-signed # certificates for 802.1x (EAP) authentication. # In that case, this CA file should contain # *one* CA certificate. # # This parameter is used only for EAP-TLS, # when you issue client certificates. If you do # not use client certificates, and you do not want # to permit EAP-TLS authentication, then delete # this configuration item. CA_file = ${cadir}/ca/ca.pem # # For DH cipher suites to work, you have to # run OpenSSL to create the DH file first: # # openssl dhparam -out certs/dh 1024 # dh_file = ${certdir}/dh random_file = ${certdir}/random # # This can never exceed the size of a RADIUS # packet (4096 bytes), and is preferably half # that, to accomodate other attributes in # RADIUS packet. On most APs the MAX packet # length is configured between 1500 - 1600 # In these cases, fragment size should be # 1024 or less. # # fragment_size = 1024 # include_length is a flag which is # by default set to yes If set to # yes, Total Length of the message is # included in EVERY packet we send. # If set to no, Total Length of the # message is included ONLY in the # First packet of a fragment series. # # include_length = yes # Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash <CA certs&CRLs Directory>'. # 'c_rehash' is OpenSSL's command. # 3) uncomment the line below. # 5) Restart radiusd check_crl = yes crl_path = "/etc/raddb/certs/ca/crl.pem" CA_path = "/etc/raddb/certs/ca/" #pem_file_type = yes Here is the error: [tls] <<< TLS 1.0 Handshake [length 1076], Certificate --> verify error:num=3:unable to get certificate CRL [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [apophxw88397hpyjx.apollogrp.edu] (from client wireless_access_point1 port 12289 cli 00-26-B0-61-FD-32) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> Here is the CApath directory: lrwxrwxrwx 1 root root 18 Oct 14 16:40 7a1f8db1.0 -> freeradius-pub.pem lrwxrwxrwx 1 root root 6 Oct 14 16:40 a7454e50.0 -> ca.pem lrwxrwxrwx 1 root root 7 Oct 14 16:40 a7454e50.r0 -> crl.pem -r--r----- 1 root radiusd 1760 Oct 14 16:18 ca.pem -rw-rw-r-- 1 root radiusd 1877 Oct 14 16:40 crl.pem -r--r----- 1 root radiusd 1751 Oct 14 16:40 freeradius-priv.pem -r--r----- 1 root radiusd 2268 Oct 14 16:40 freeradius-pub.pem I can post a more lengthy failure log if someone wants it - my question is, has anyone got this working without running the openssl CA right on the same box as freeradius? What am I missing? Thank you for any assistance.
participants (1)
-
Kyle O'Malley