Missing SSL Change Cipher Spec in EAP-TLS with Client Certificate verify failed

yuqiang yuqiang1973 at 163.com
Fri Jul 8 17:43:17 CEST 2011 

Oh,I am sorry. But the problem i meet just like the event descibed in
mailinglist here. I downloaded the new version of freeradius(2.1.10) and run
it on LINUX.When the certificate is expired or invalid,I found the data sent
by server were missed. The log is as followed.The exchange between client
and server is not conformed to RFC5216 described as italic text.


RFC 5216 Section 2.1 

   Authenticating Peer     Authenticator 
   -------------------     ------------- 
                           <- EAP-Request/ 
                           Identity 
   EAP-Response/ 
   Identity (MyID) -> 
                           <- EAP-Request/ 
                           EAP-Type=EAP-TLS 
                           (TLS Start) 
   EAP-Response/ 
   EAP-Type=EAP-TLS 
   (TLS client_hello)-> 
                           <- EAP-Request/ 
                           EAP-Type=EAP-TLS 
                           (TLS server_hello, 
                             TLS certificate, 
                    [TLS server_key_exchange,] 
               TLS certificate_request, 
                 TLS server_hello_done) 

   EAP-Response/ 
   EAP-Type=EAP-TLS 
   (TLS certificate, 
    TLS client_key_exchange, 
    TLS certificate_verify, 
    TLS change_cipher_spec, 
    TLS finished) -> 

                           <- EAP-Request/ 
                           EAP-Type=EAP-TLS 
                           (TLS change_cipher_spec, 
                           TLS finished)
   EAP-Response/ 
   EAP-Type=EAP-TLS -> 
                           /<- EAP-Request 
                           EAP-Type=EAP-TLS 
                           (TLS Alert message) /
   EAP-Response/ 
   EAP-Type=EAP-TLS -> 
                           <- EAP-Failure 
                           (User Disconnected) 




the log:


+- entering group authenticate {...} 
[eap] Request found, released from the list 
[eap] EAP/tls 
[eap] processing type tls 
[tls] Authenticate 
[tls] processing EAP-TLS 
  TLS Length 225 
[tls] Length Included 
[tls] eaptls_verify returned 11 
[tls] <<< TLS 1.0 Handshake [length 0b8c], Certificate 
[tls] chain-depth=2, 
[tls] error=0 
[tls] --> User-Name = test 
[tls] --> BUF-Name = ZJRoot,2.5.4.1 
[tls] --> subject =
/C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00R\x00o\x00o\x00t 
[tls] --> issuer  =
/C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00R\x00o\x00o\x00t 
[tls] --> verify return:1 
[tls] chain-depth=1, 
[tls] error=0 
[tls] --> User-Name = test 
[tls] --> BUF-Name = ZJCA,2.5.4.1 
[tls] --> subject =
/C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00C\x00A 
[tls] --> issuer  =
/C=\x00C\x00N/ST=mYl_w\x01/L=gm]\xDE^\x02/O=mYl_w\x01ep[W\x8B\xA4\x8B\xC1N-_\xC3/CN=\x00Z\x00J\x00R\x00o\x00o\x00t 
[tls] --> verify return:1 
--> verify error:num=10:certificate has expired 
[tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired 
TLS Alert write:fatal:certificate expired 
    TLS_accept: error in SSLv3 read client certificate B 
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 
SSL: SSL_read failed in a system call (-1), TLS session fails. 
TLS receive handshake failed during operation 
[tls] eaptls_process returned 4 
[eap] Handler failed in EAP/tls 
[eap] Failed in EAP select 
++[eap] returns invalid 
Failed to authenticate the user. 
Using Post-Auth-Type Reject 



--
View this message in context: http://freeradius.1045715.n5.nabble.com/Missing-SSL-Change-Cipher-Spec-in-EAP-TLS-with-Client-Certificate-verify-failed-tp4565228p4565228.html
Sent from the FreeRadius - Dev mailing list archive at Nabble.com.

More information about the Freeradius-Devel mailing list