Missing TLS Change Cipher Spec and TLS Finished in EAP-TLS exchanges

Arnaud Ebalard arno at natisbad.org
Fri Jan 23 21:19:28 CET 2009


I upgraded an internal freeradius server (Linux, Debian unstable, libssl
0.9.8) used for EAP-TLS (802.11 WPA2 access) from 2.0.5 to 2.1.3.

With 2.1.3, client authentication fails in the following way
(wpasupplicant on Debian unstable, working with 2.0.5):

 - the TLS exchange is completed from freeradius point of view. It even
   sends the Access-Accept message to the NAS.
 - from the clients point of view, the TLS exchange is not over, it
   expects some more data from the server which are never sent.

I took two pcap traces (sent to you privately, Alan), one with 2.0.5,
one with 2.1.3. It looks like the TLS Change Cipher and TLS Tinished
elements of the TLS exchange are not in the EAP encapsulated TLS packets
sent by the server.

Compare packet #23 of 2.1.3 trace with packet #27 of 2.0.5 trace. If you
use wireshark, you will notice that the SSL layer is dissected; this is
because #27 has a small brother: #29. It is not sent by 2.1.3.

Alan, if you have an idea or a patch, I can test it on monday.



More information about the Freeradius-Devel mailing list