Missing SSL Change Cipher Spec in EAP-TLS withClientCertificate verify failed

yuqiang yuqiang1973 at 163.com
Sat Jul 9 02:52:18 CEST 2011 

Hi,my freinds
      I should sum up my problems as followed.According to RFC 5216 strictly(Fig 1),when the server verified a certificate valid,it should return a packet with  (TLS change_cipher_spec,  TLS finished),and the client is waiting for the packet then return (EAP-Response).But please see the log(Fig 2),the server return (TLS Alert message)  packet  directly lacking the up step.So i think the freeradius is not as required by the specifications,is that right?
      Best regards

                        Fig 1      
 RFC 5216 Section 2.1 

   Authenticating Peer     Authenticator 
   -------------------     ------------- 
                           <- EAP-Request/ 
                           Identity 
   EAP-Response/ 
   Identity (MyID) -> 
                           <- EAP-Request/ 
                           EAP-Type=EAP-TLS 
                           (TLS Start) 
   EAP-Response/ 
   EAP-Type=EAP-TLS 
   (TLS client_hello)-> 
                           <- EAP-Request/ 
                           EAP-Type=EAP-TLS 
                           (TLS server_hello, 
                             TLS certificate, 
                    [TLS server_key_exchange,] 
               TLS certificate_request, 
                 TLS server_hello_done) 

   EAP-Response/ 
   EAP-Type=EAP-TLS 
   (TLS certificate, 
    TLS client_key_exchange, 
    TLS certificate_verify, 
    TLS change_cipher_spec, 
    TLS finished) -> 

                           <- EAP-Request/ 
                           EAP-Type=EAP-TLS 
                           (TLS change_cipher_spec, 
                           TLS finished)
   EAP-Response/ 
   EAP-Type=EAP-TLS -> 
                           <- EAP-Request 
                           EAP-Type=EAP-TLS 
                           (TLS Alert message) 
   EAP-Response/ 
   EAP-Type=EAP-TLS -> 
                           <- EAP-Failure 
                           (User Disconnected) 

                  Fig 2




2011-07-09 



yuqiang1973 



发件人: Alan DeKok-2 [via FreeRadius] 
发送时间: 2011-07-09  00:21:07 
收件人: yuqiang 
抄送: 
主题: Re: Missing SSL Change Cipher Spec in EAP-TLS withClientCertificate verify failed 
 
Phil Mayers wrote: 
> EAP-TLS in FreeRADIUS WORKS. Stop posting nonsense about RFC compliance. 

  If the certificate verification fails, then the server is *supposed* 
to stop the EAP-TLS conversation. 

> FreeRADIUS just uses OpenSSL. OpenSSL works. OpenSSL is compliant with 
> the standards. 
> 
> There is nothing wrong with FreeRADIUS or OpenSSL. 

  Everything is working as expected, and as required by the specifications. 

  Alan DeKok. 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html





If you reply to this email, your message will be added to the discussion below:
http://freeradius.1045715.n5.nabble.com/Missing-SSL-Change-Cipher-Spec-in-EAP-TLS-with-Client-Certificate-verify-failed-tp4565228p4565389.html 
To unsubscribe from Missing SSL Change Cipher Spec in EAP-TLS with Client Certificate verify failed, click here. 


--
View this message in context: http://freeradius.1045715.n5.nabble.com/Missing-SSL-Change-Cipher-Spec-in-EAP-TLS-with-Client-Certificate-verify-failed-tp4565228p4567123.html
Sent from the FreeRadius - Dev mailing list archive at Nabble.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20110708/660dd939/attachment-0002.html>

More information about the Freeradius-Devel mailing list