EAP-TLS broken in 2.1.3? (was: Missing TLS Change Cipher Spec and TLS Finished in EAP-TLS exchanges)

Arnaud Ebalard arno at natisbad.org
Tue Jan 27 11:23:29 CET 2009


Hi,

arno at natisbad.org (Arnaud Ebalard) writes:

> I upgraded an internal freeradius server (Linux, Debian unstable, libssl
> 0.9.8) used for EAP-TLS (802.11 WPA2 access) from 2.0.5 to 2.1.3.
>
> With 2.1.3, client authentication fails in the following way
> (wpasupplicant on Debian unstable, working with 2.0.5):
>
>  - the TLS exchange is completed from freeradius point of view. It even
>    sends the Access-Accept message to the NAS.
>  - from the clients point of view, the TLS exchange is not over, it
>    expects some more data from the server which are never sent.
>
> I took two pcap traces (sent to you privately, Alan), one with 2.0.5,
> one with 2.1.3. It looks like the TLS Change Cipher and TLS Tinished
> elements of the TLS exchange are not in the EAP encapsulated TLS packets
> sent by the server.
>
> Compare packet #23 of 2.1.3 trace with packet #27 of 2.0.5 trace. If you
> use wireshark, you will notice that the SSL layer is dissected; this is
> because #27 has a small brother: #29. It is not sent by 2.1.3.
>
> Alan, if you have an idea or a patch, I can test it on monday.

I wonder if my first mail slipped through or if it just that noone had
time to look at it. I changed the subject to something more explicit.

Cheers,

a+




More information about the Freeradius-Devel mailing list