[PATCH] Fix broken EAP-TLS (bug introduced 2008/08/24 by b51a3a82)
yuqiang
yuqiang1973 at 163.com
Fri Jul 8 17:41:36 CEST 2011
Oh,I am sorry. But the problem i meet just like the event descibed in
mailinglist here. I downloaded the new version of freeradius(2.1.10) and run
it on LINUX.When the certificate is expired or invalid,I found the data sent
by server were missed. The log is as followed.The exchange between client
and server is not conformed to RFC5216 described as italic text.
RFC 5216 Section 2.1
Authenticating Peer Authenticator
------------------- -------------
<- EAP-Request/
Identity
EAP-Response/
Identity (MyID) ->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS Start)
EAP-Response/
EAP-Type=EAP-TLS
(TLS client_hello)->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS server_hello,
TLS certificate,
[TLS server_key_exchange,]
TLS certificate_request,
TLS server_hello_done)
EAP-Response/
EAP-Type=EAP-TLS
(TLS certificate,
TLS client_key_exchange,
TLS certificate_verify,
TLS change_cipher_spec,
TLS finished) ->
<- EAP-Request/
EAP-Type=EAP-TLS
(TLS change_cipher_spec,
TLS finished)
EAP-Response/
EAP-Type=EAP-TLS ->
/<- EAP-Request
EAP-Type=EAP-TLS
(TLS Alert message) /
EAP-Response/
EAP-Type=EAP-TLS ->
<- EAP-Failure
(User Disconnected)
the log:
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 225
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] <<< TLS 1.0 Handshake [length 0b8c], Certificate
[tls] chain-depth=2,
[tls] error=0
[tls] --> User-Name = test
[tls] --> BUF-Name = ZJRoot,2.5.4.1
[tls] --> subject =
/C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00R\x00o\x00o\x00t
[tls] --> issuer =
/C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00R\x00o\x00o\x00t
[tls] --> verify return:1
[tls] chain-depth=1,
[tls] error=0
[tls] --> User-Name = test
[tls] --> BUF-Name = ZJCA,2.5.4.1
[tls] --> subject =
/C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00C\x00A
[tls] --> issuer =
/C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00R\x00o\x00o\x00t
[tls] --> verify return:1
--> verify error:num=10:certificate has expired
[tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired
TLS Alert write:fatal:certificate expired
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
--
View this message in context: http://freeradius.1045715.n5.nabble.com/Missing-TLS-Change-Cipher-Spec-and-TLS-Finished-in-EAP-TLS-exchanges-tp2794335p4565215.html
Sent from the FreeRadius - Dev mailing list archive at Nabble.com.
More information about the Freeradius-Devel
mailing list