[PATCH] Fix broken EAP-TLS (bug introduced 2008/08/24 by b51a3a82)

yuqiang yuqiang1973 at 163.com
Fri Jul 8 17:30:56 CEST 2011 

Oh,I am sorry. But the problem i meet just like the event descibed in
mailinglist here. I downloaded  the new version of freeradius(2.1.10) and
run it on LINUX.When the certificate is expired or invalid,I found the data
sent by server were missed. The log is followed.

+- entering group authenticate {...} 
[eap] Request found, released from the list 
[eap] EAP/tls 
[eap] processing type tls 
[tls] Authenticate 
[tls] processing EAP-TLS 
  TLS Length 225 
[tls] Length Included 
[tls] eaptls_verify returned 11 
[tls] <<< TLS 1.0 Handshake [length 0b8c], Certificate 
[tls] chain-depth=2, 
[tls] error=0 
[tls] --> User-Name = test 
[tls] --> BUF-Name = ZJRoot,2.5.4.1 
[tls] --> subject =
/C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00R\x00o\x00o\x00t 
[tls] --> issuer  =
/C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00R\x00o\x00o\x00t 
[tls] --> verify return:1 
[tls] chain-depth=1, 
[tls] error=0 
[tls] --> User-Name = test 
[tls] --> BUF-Name = ZJCA,2.5.4.1 
[tls] --> subject =
/C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00C\x00A 
[tls] --> issuer  =
/C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00R\x00o\x00o\x00t 
[tls] --> verify return:1 
--> verify error:num=10:certificate has expired 
[tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired 
TLS Alert write:fatal:certificate expired 
    TLS_accept: error in SSLv3 read client certificate B 
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 
SSL: SSL_read failed in a system call (-1), TLS session fails. 
TLS receive handshake failed during operation 
[tls] eaptls_process returned 4 
[eap] Handler failed in EAP/tls 
[eap] Failed in EAP select 
++[eap] returns invalid 
Failed to authenticate the user. 
Using Post-Auth-Type Reject 

t  he event is not conform to the RFC5216 as the italic text:

   Authenticating Peer     Authenticator 
   -------------------     ------------- 
                           <- EAP-Request/ 
                           Identity 
   EAP-Response/ 
   Identity (MyID) -> 
                           <- EAP-Request/ 
                           EAP-Type=EAP-TLS 
                           (TLS Start) 
   EAP-Response/ 
   EAP-Type=EAP-TLS 
   (TLS client_hello)-> 
                           <- EAP-Request/ 
                           EAP-Type=EAP-TLS 
                           (TLS server_hello, 
                             TLS certificate, 
                    [TLS server_key_exchange,] 
               TLS certificate_request, 
                 TLS server_hello_done) 

   EAP-Response/ 
   EAP-Type=EAP-TLS 
   (TLS certificate, 
    TLS client_key_exchange, 
    TLS certificate_verify, 
    TLS change_cipher_spec, 
    TLS finished) -> 

                           /<- EAP-Request/ 
                           EAP-Type=EAP-TLS 
                           (TLS change_cipher_spec, 
                           TLS finished)/   EAP-Response/ 
   EAP-Type=EAP-TLS -> 
                           <- EAP-Request 
                           EAP-Type=EAP-TLS 
                           (TLS Alert message) 
   EAP-Response/ 
   EAP-Type=EAP-TLS -> 
                           <- EAP-Failure 
                           (User Disconnected) 





--
View this message in context: http://freeradius.1045715.n5.nabble.com/Missing-TLS-Change-Cipher-Spec-and-TLS-Finished-in-EAP-TLS-exchanges-tp2794335p4565167.html
Sent from the FreeRadius - Dev mailing list archive at Nabble.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20110708/2a8fc243/attachment.html>

More information about the Freeradius-Devel mailing list