Eap-Tls Problem

Matteo Lazzarini mlazzarini at crema.unimi.it
Mon Aug 21 21:44:16 CEST 2006

Stefan Winter wrote:

>>In SSL Handshake Phase
>>In SSL Accept mode
>>  eaptls_process returned 13
>>  modcall[authenticate]: module "eap" returns handled for request 9
>>modcall: leaving group authenticate (returns handled) for request 9
>>Sending Access-Challenge of id 18 to port 1217
>>Finished request 9
>>Going to the next request
>>Waking up in 6 seconds...
>>--- Walking the entire request list ---
>>Cleaning up request 8 ID 17 with timestamp 44e9b492
>>Cleaning up request 9 ID 18 with timestamp 44e9b492
>>Nothing to do.  Sleeping until we see a request.
>Your server is sending a request to the client, but the client never replies  
>to it. The client doesn't like what it gets. Have you included the Extended 
>Usage OID for TLS Web Server Identification into your server cert? Also, when 
>using EAP-TLS, your client's certificate must have the corresponding OID (TLS 
>Client Identification).
>Stefan Winter
I made server cert with this script:

export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
export LD_LIBRARY_PATH=${SSL}/lib
echo "Creating server private key and certificate"
echo "When prompted enter the server name in the Common Name field."
# Request a new PKCS#10 certificate.
# First, newreq.pem will be overwritten with the new certificate request
openssl req -new -keyout newreq.pem -out newreq.pem -passin 
pass:whatever -passout pass:whatever
# Sign the certificate request. The policy is defined in the openssl.cnf 
# The request generated in the previous step is specified with the 
-infiles option and
# the output is in newcert.pem
# The -extensions option is necessary to add the OID for the extended 
key for server authentication
openssl ca -policy policy_anything -out newcert.pem -passin 
pass:whatever -key whatever -extensions xpserver_ext -extfile 
xpextensions -infiles newreq.pem
# Create a PKCS#12 file from the new certificate and its private key 
found in newreq.pem
# and place in file specified on the command line
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 
-clcerts -passin pass:whatever -passout pass:whatever
# parse the PKCS#12 file just created and produce a PEM format 
certificate and key in certsrv.pem
openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout 
# Convert certificate from PEM format to DER format
openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der
# Clean Up
rm -rf newert.pem newreq.pem

I attach the three certificate's generation scripts...

Can you said me where is the fault?

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: CA.clt
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20060821/f866dce7/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: CA.root
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20060821/f866dce7/attachment-0001.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: CA.svr
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20060821/f866dce7/attachment-0002.ksh>

More information about the Freeradius-Devel mailing list