Hi, Can I use Der format for certificates? When I try to use DER certificates I get this error on freeradius: (8) eap_tls: ERROR: (TLS) Alert write:fatal:decode error (8) eap_tls: ERROR: (TLS) Server : Error in error (8) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C087:SSL routines:tls_process_client_certificate:cert length mismatch (8) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (8) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation (8) eap_tls: ERROR: [eaptls process] = fail (8) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed Thanks in advance! Iñigo
On Mar 1, 2022, at 9:32 AM, Iñigo Vicente <ivicente@bexencardio.com> wrote:
Can I use Der format for certificates?
OpenSSL uses PEM. It's trivial to convert them from one format to another. So there's no reason to try to "force" it to use one format.
When I try to use DER certificates I get this error on freeradius:
(8) eap_tls: ERROR: (TLS) Alert write:fatal:decode error (8) eap_tls: ERROR: (TLS) Server : Error in error (8) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C087:SSL routines:tls_process_client_certificate:cert length mismatch
That really has nothing to do with the certificate format. Once the certificate is loaded by OpenSSL, it's sent across the wire in a different format. Plus, this complaint is about the *client* certificate. Not the certificate on the server. Alan DeKok.
I have created a client.der from the client.pem, I pass it through cmd to windows and I add it to a wifi module to connect but it gives me an error. The client.pem contains two certificates, the CA and the client.pem, how can I configure it to contain only the client? I think there is this error, freeradius uses the size with the two certificates together and I want to use them separately. Thanks, Iñigo. El mar, 1 mar 2022 a las 16:09, Alan DeKok (<aland@deployingradius.com>) escribió:
On Mar 1, 2022, at 9:32 AM, Iñigo Vicente <ivicente@bexencardio.com> wrote:
Can I use Der format for certificates?
OpenSSL uses PEM. It's trivial to convert them from one format to another. So there's no reason to try to "force" it to use one format.
When I try to use DER certificates I get this error on freeradius:
(8) eap_tls: ERROR: (TLS) Alert write:fatal:decode error (8) eap_tls: ERROR: (TLS) Server : Error in error (8) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C087:SSL routines:tls_process_client_certificate:cert length mismatch
That really has nothing to do with the certificate format.
Once the certificate is loaded by OpenSSL, it's sent across the wire in a different format.
Plus, this complaint is about the *client* certificate. Not the certificate on the server.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 02/03/2022 15:26, Iñigo Vicente wrote:
I have created a client.der from the client.pem, I pass it through cmd to windows and I add it to a wifi module to connect but it gives me an error. The client.pem contains two certificates, the CA and the client.pem, how can I configure it to contain only the client?
PEM format is plain text. Edit it to remove the certificate you don't want.
I think there is this error, freeradius uses the size with the two certificates together and I want to use them separately.
There is no error. FreeRADIUS uses whatever you give to it. -- Matthew
Hi, What changes do I have to make to configure freeradius with TLS? Thanks El mié, 2 mar 2022 a las 16:35, Matthew Newton (<mcn@freeradius.org>) escribió:
On 02/03/2022 15:26, Iñigo Vicente wrote:
I have created a client.der from the client.pem, I pass it through cmd to windows and I add it to a wifi module to connect but it gives me an error. The client.pem contains two certificates, the CA and the client.pem, how can I configure it to contain only the client?
PEM format is plain text. Edit it to remove the certificate you don't want.
I think there is this error, freeradius uses the size with the two certificates together and I want to use them separately.
There is no error. FreeRADIUS uses whatever you give to it.
-- Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 7, 2022, at 4:19 AM, Iñigo Vicente <ivicente@bexencardio.com> wrote:
What changes do I have to make to configure freeradius with TLS?
Edit the configuration files. There's lots of documentation and examples. If you have a *specific* question, ask that. Questions like "How can I do stuff" are vague and useless. Alan DeKok.
I have configured etc/raddb/mods-available/eap eap { default_eap_type = tls } peap { default_eap_type = tls } I have this warning: 6) eap_tls: WARNING: (TLS) EAP Total received record fragments (91 bytes), does not equal expected expected data length (0 bytes) And this is my log: (12) Received Access-Request Id 245 from 172.17.0.1:50346 to 172.17.0.2:1812 length 228 (12) User-Name = "bob" (12) NAS-IP-Address = 192.168.2.1 (12) NAS-Identifier = "RalinkAP0" (12) NAS-Port = 0 (12) Called-Station-Id = "04-D9-F5-57-18-30" (12) Calling-Station-Id = "00-0B-57-F6-1C-D5" (12) Framed-MTU = 1400 (12) NAS-Port-Type = Wireless-802.11 (12) EAP-Message = 0x0208005c0d00011603030050b26cf6b6226b3980df1fbf03079d6cf034ebba09a493c5f51e2b3c95ac12d5366d8429430577a30f6ec4647169c7ca70a2aed956dfab9473c0c3f7f00f8eff475db3f3fa5a27aa592bfc598b75310dff (12) State = 0x65c4754763cc78ec7a205a84609f1783 (12) Message-Authenticator = 0xa68af9191955bedeeab1daf3abfca207 (12) Restoring &session-state (12) &session-state:Framed-MTU = 994 (12) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (12) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (12) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (12) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (12) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (12) # Executing section authorize from file /etc/freeradius/sites-enabled/default (12) authorize { (12) policy filter_username { (12) if (&User-Name) { (12) if (&User-Name) -> TRUE (12) if (&User-Name) { (12) if (&User-Name =~ / /) { (12) if (&User-Name =~ / /) -> FALSE (12) if (&User-Name =~ /@[^@]*@/ ) { (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (12) if (&User-Name =~ /\.\./ ) { (12) if (&User-Name =~ /\.\./ ) -> FALSE (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (12) if (&User-Name =~ /\.$/) { (12) if (&User-Name =~ /\.$/) -> FALSE (12) if (&User-Name =~ /@\./) { (12) if (&User-Name =~ /@\./) -> FALSE (12) } # if (&User-Name) = notfound (12) } # policy filter_username = notfound (12) [preprocess] = ok (12) [chap] = noop (12) [mschap] = noop (12) [digest] = noop (12) suffix: Checking for suffix after "@" (12) suffix: No '@' in User-Name = "bob", looking up realm NULL (12) suffix: No such realm "NULL" (12) [suffix] = noop (12) eap: Peer sent EAP Response (code 2) ID 8 length 92 (12) eap: No EAP Start, assuming it's an on-going EAP conversation (12) [eap] = updated (12) files: users: Matched entry bob at line 87 (12) [files] = ok (12) [expiration] = noop (12) [logintime] = noop (12) pap: WARNING: Auth-Type already set. Not setting to PAP (12) [pap] = noop (12) } # authorize = updated (12) Found Auth-Type = eap (12) # Executing group from file /etc/freeradius/sites-enabled/default (12) authenticate { (12) eap: Expiring EAP session with state 0x83c0258587c628a6 (12) eap: Finished EAP session with state 0x65c4754763cc78ec (12) eap: Previous EAP request found for state 0x65c4754763cc78ec, released from the list (12) eap: Peer sent packet with method EAP TLS (13) (12) eap: Calling submodule eap_tls to process data (12) eap_tls: (TLS) EAP Got final fragment (86 bytes) (12) eap_tls: (TLS) EAP Done initial handshake (12) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (12) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate (12) eap_tls: (TLS) send TLS 1.2 Alert, fatal decode_error (12) eap_tls: ERROR: (TLS) Alert write:fatal:decode error (12) eap_tls: ERROR: (TLS) Server : Error in error (12) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C087:SSL routines:tls_process_client_certificate:cert length mismatch (12) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (12) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation (12) eap_tls: ERROR: [eaptls process] = fail (12) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (12) eap: Sending EAP Failure (code 4) ID 8 length 4 (12) eap: Failed in EAP select (12) [eap] = invalid (12) } # authenticate = invalid (12) Failed to authenticate the user (12) Using Post-Auth-Type Reject (12) # Executing group from file /etc/freeradius/sites-enabled/default (12) Post-Auth-Type REJECT { (12) attr_filter.access_reject: EXPAND %{User-Name} (12) attr_filter.access_reject: --> bob (12) attr_filter.access_reject: Matched entry DEFAULT at line 11 (12) [attr_filter.access_reject] = updated (12) [eap] = noop (12) policy remove_reply_message_if_eap { (12) if (&reply:EAP-Message && &reply:Reply-Message) { (12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (12) else { (12) [noop] = noop (12) } # else = noop (12) } # policy remove_reply_message_if_eap = noop (12) } # Post-Auth-Type REJECT = updated (12) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (12) (12) Discarding duplicate request from client desktop port 50346 - ID: 245 due to delayed response (12) Sending delayed response (12) Sent Access-Reject Id 245 from 172.17.0.2:1812 to 172.17.0.1:50346 length 44 (12) EAP-Message = 0x04080004 (12) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (9) Cleaning up request packet ID 242 with timestamp +53 (10) Cleaning up request packet ID 243 with timestamp +53 (11) Cleaning up request packet ID 244 with timestamp +53 (12) Cleaning up request packet ID 245 with timestamp +53 Ready to process requests Instead the connection with PEAP-MSCHAP is correct. El lun, 7 mar 2022 a las 13:39, Alan DeKok (<aland@deployingradius.com>) escribió:
On Mar 7, 2022, at 4:19 AM, Iñigo Vicente <ivicente@bexencardio.com> wrote:
What changes do I have to make to configure freeradius with TLS?
Edit the configuration files.
There's lots of documentation and examples.
If you have a *specific* question, ask that. Questions like "How can I do stuff" are vague and useless.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 7, 2022, at 8:35 AM, Iñigo Vicente <ivicente@bexencardio.com> wrote:
I have configured etc/raddb/mods-available/eap eap { default_eap_type = tls } peap { default_eap_type = tls }
There's rather a lot more than that, but whatever. And no, we don't need to see the configuration files. All of the documentation makes this VERY clear.
I have this warning: 6) eap_tls: WARNING: (TLS) EAP Total received record fragments (91 bytes), does not equal expected expected data length (0 bytes)
If that's the message you get, then you should post that message. Don't post a vague question asking about TLS.
(12) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C087:SSL routines:tls_process_client_certificate:cert length mismatch
The end user system (EAP supplicant) is broken. It's not doing EAP-TLS properly. What end user system are you using? Perhaps also try disabling TLS 1.3 on the server side. See the tls {...} configuration for details. Alan DeKok.
What end user system are you using?
I am using WGM110 Wizard Gecko Wi-Fi bgtool El lun, 7 mar 2022 a las 14:39, Alan DeKok (<aland@deployingradius.com>) escribió:
On Mar 7, 2022, at 8:35 AM, Iñigo Vicente <ivicente@bexencardio.com> wrote:
I have configured etc/raddb/mods-available/eap eap { default_eap_type = tls } peap { default_eap_type = tls }
There's rather a lot more than that, but whatever. And no, we don't need to see the configuration files. All of the documentation makes this VERY clear.
I have this warning: 6) eap_tls: WARNING: (TLS) EAP Total received record fragments (91 bytes), does not equal expected expected data length (0 bytes)
If that's the message you get, then you should post that message. Don't post a vague question asking about TLS.
(12) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C087:SSL routines:tls_process_client_certificate:cert length mismatch
The end user system (EAP supplicant) is broken. It's not doing EAP-TLS properly.
What end user system are you using?
Perhaps also try disabling TLS 1.3 on the server side. See the tls {...} configuration for details.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Mar 7, 2022, at 9:03 AM, Iñigo Vicente <ivicente@bexencardio.com> wrote:
What end user system are you using?
I am using WGM110 Wizard Gecko Wi-Fi bgtool
I have no idea what that is. End user systems are usually Windows, Mac OSX, Android, iOS, etc. If you're using something unusual and it doesn't work with FreeRADIUS, then the problem isn't FreeRADIUS. Throw the broken tool in the garbage, and buy one that works. Or, call support for the tool you're using, and tell them that it's broken. It doesn't follow the TLS specs properly, and they need to fix it. No amount of poking FreeRADIUS will fix this problem. The tool you're using is broken. Alan DeKok.
Maybe using a different EAP supplicant would help to check the Freeradius server config. Le lun. 7 mars 2022 à 15:04, Iñigo Vicente <ivicente@bexencardio.com> a écrit :
What end user system are you using?
I am using WGM110 Wizard Gecko Wi-Fi bgtool
El lun, 7 mar 2022 a las 14:39, Alan DeKok (<aland@deployingradius.com>) escribió:
On Mar 7, 2022, at 8:35 AM, Iñigo Vicente <ivicente@bexencardio.com> wrote:
I have configured etc/raddb/mods-available/eap eap { default_eap_type = tls } peap { default_eap_type = tls }
There's rather a lot more than that, but whatever. And no, we don't need to see the configuration files. All of the documentation makes this VERY clear.
I have this warning: 6) eap_tls: WARNING: (TLS) EAP Total received record fragments (91 bytes), does not equal expected expected data length (0 bytes)
If that's the message you get, then you should post that message. Don't post a vague question asking about TLS.
(12) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C087:SSL routines:tls_process_client_certificate:cert length mismatch
The end user system (EAP supplicant) is broken. It's not doing EAP-TLS properly.
What end user system are you using?
Perhaps also try disabling TLS 1.3 on the server side. See the tls {...} configuration for details.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Iñigo Vicente -
Matthew Newton -
Olivier