Eap-Tls Problem
Matteo Lazzarini
mlazzarini at crema.unimi.it
Mon Aug 21 21:44:16 CEST 2006
Stefan Winter wrote:
>Hi,
>
>
>
>>In SSL Handshake Phase
>>In SSL Accept mode
>> eaptls_process returned 13
>> modcall[authenticate]: module "eap" returns handled for request 9
>>modcall: leaving group authenticate (returns handled) for request 9
>>Sending Access-Challenge of id 18 to 192.168.1.5 port 1217
>>...
>>Finished request 9
>>Going to the next request
>>Waking up in 6 seconds...
>>--- Walking the entire request list ---
>>Cleaning up request 8 ID 17 with timestamp 44e9b492
>>Cleaning up request 9 ID 18 with timestamp 44e9b492
>>Nothing to do. Sleeping until we see a request.
>>
>>
>
>Your server is sending a request to the client, but the client never replies
>to it. The client doesn't like what it gets. Have you included the Extended
>Usage OID for TLS Web Server Identification into your server cert? Also, when
>using EAP-TLS, your client's certificate must have the corresponding OID (TLS
>Client Identification).
>
>Greetings,
>
>Stefan Winter
>
>
>
I made server cert with this script:
#!/bin/sh
SSL=/usr/lib
export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH}
export LD_LIBRARY_PATH=${SSL}/lib
echo
"*********************************************************************************"
echo "Creating server private key and certificate"
echo "When prompted enter the server name in the Common Name field."
echo
"*********************************************************************************"
echo
# Request a new PKCS#10 certificate.
# First, newreq.pem will be overwritten with the new certificate request
openssl req -new -keyout newreq.pem -out newreq.pem -passin
pass:whatever -passout pass:whatever
# Sign the certificate request. The policy is defined in the openssl.cnf
file.
# The request generated in the previous step is specified with the
-infiles option and
# the output is in newcert.pem
# The -extensions option is necessary to add the OID for the extended
key for server authentication
openssl ca -policy policy_anything -out newcert.pem -passin
pass:whatever -key whatever -extensions xpserver_ext -extfile
xpextensions -infiles newreq.pem
# Create a PKCS#12 file from the new certificate and its private key
found in newreq.pem
# and place in file specified on the command line
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12
-clcerts -passin pass:whatever -passout pass:whatever
# parse the PKCS#12 file just created and produce a PEM format
certificate and key in certsrv.pem
openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout
pass:whatever
# Convert certificate from PEM format to DER format
openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der
# Clean Up
rm -rf newert.pem newreq.pem
I attach the three certificate's generation scripts...
Can you said me where is the fault?
Thanks
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: CA.clt
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20060821/f866dce7/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: CA.root
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20060821/f866dce7/attachment-0001.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: CA.svr
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20060821/f866dce7/attachment-0002.ksh>
More information about the Freeradius-Devel
mailing list