(4) eap_tls: ERROR: TLS Alert write:fatal:unexpected_message
Michel Verhagen
mike at guruce.com
Mon Apr 12 09:30:10 CEST 2021
Hi,
I'm integrating hostap's EAP library and its EAP supplicant state
machine on an embedded device and am testing against the FreeRADIUS
server. I've got MD5 authentication going (yes, I know this is open to
attacks) and I have EAP-TTLS going as well. However, with EAP-TLS I'm
getting the error as per subject of this email. I'm getting the same
error if I set the EAP-TTLS config option "require_client_cert = yes".
It definitely is a problem with the certificate, but I don't know what
(or how to get more information about this). I created the test
certificates and copied the ca.pem file to the device with my hostap EAP
library and EAP supplicant state machine.
The FreeRadius log:
(4) Found Auth-Type = eap
(4) # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0x05594454060d4948
(4) eap: Finished EAP session with state 0x05594454060d4948
(4) eap: Previous EAP request found for state 0x05594454060d4948,
released from the list
(4) eap: Peer sent packet with method EAP TLS (13)
(4) eap: Calling submodule eap_tls to process data
(4) eap_tls: Continuing EAP-TLS
(4) eap_tls: [eaptls verify] = ok
(4) eap_tls: Done initial handshake
(4) eap_tls: TLS_accept: SSLv3/TLS write server done
(4) eap_tls: >>> send TLS 1.2 [length 0002]
(4) eap_tls: ERROR: TLS Alert write:fatal:unexpected_message
tls: TLS_accept: Error in error
(4) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
error:141A20F4:SSL
routines:ossl_statem_server_read_transition:unexpected message
(4) eap_tls: ERROR: System call (I/O) error (-1)
(4) eap_tls: ERROR: TLS receive handshake failed during operation
(4) eap_tls: ERROR: [eaptls process] = fail
(4) eap: ERROR: Failed continuing EAP TLS (13) session. EAP
sub-module failed
(4) eap: Sending EAP Failure (code 4) ID 84 length 4
(4) eap: Failed in EAP select
(4) [eap] = invalid
(4) } # authenticate = invalid
(4) Failed to authenticate the user
(4) Using Post-Auth-Type Reject
The wireshark log (for EAP-TLS) looks like this:
No. Time Source Destination Protocol Length Info
16 2.721206 00:11:22:33:44:55 00:00:00:00:00:00 EAPOL
60 Start
17 2.722845 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 EAP
60 Request, Identity
18 2.741815 00:11:22:33:44:55 cc:37:ab:cb:f6:98 EAP
60 Response, Identity
19 2.746876 192.168.1.2 192.168.1.4 RADIUS 144
Access-Request id=166
42 2.752227 192.168.1.4 192.168.1.2 RADIUS 106
Access-Challenge id=166
46 2.756640 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 EAP
60 Request, TLS EAP (EAP-TLS)
69 6.971847 00:11:22:33:44:55 cc:37:ab:cb:f6:98 TLSv1.2
226 Client Hello
70 7.084757 192.168.1.2 192.168.1.4 RADIUS 359
Access-Request id=65
112 7.149186 192.168.1.4 192.168.1.2 RADIUS 1110
Access-Challenge id=65
118 7.156721 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 EAP
1022 Request, TLS EAP (EAP-TLS)
119 7.162062 00:11:22:33:44:55 cc:37:ab:cb:f6:98 EAP
60 Response, TLS EAP (EAP-TLS)
120 7.166973 192.168.1.2 192.168.1.4 RADIUS 157
Access-Request id=136
141 7.170477 192.168.1.4 192.168.1.2 RADIUS 1110
Access-Challenge id=136
145 7.176735 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 EAP
1022 Request, TLS EAP (EAP-TLS)
146 7.182956 00:11:22:33:44:55 cc:37:ab:cb:f6:98 EAP
60 Response, TLS EAP (EAP-TLS)
147 7.188318 192.168.1.2 192.168.1.4 RADIUS 157
Access-Request id=166
166 7.191746 192.168.1.4 192.168.1.2 RADIUS 1063
Access-Challenge id=166
170 7.196867 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 TLSv1.2
975 Server Hello, Certificate, Server Key Exchange, Certificate
Request, Server Hello Done
257 16.852519 00:11:22:33:44:55 cc:37:ab:cb:f6:98
TLSv1.2 150 Client Key Exchange, Change Cipher Spec, Encrypted
Handshake Message
258 16.882712 192.168.1.2 192.168.1.4 RADIUS 283
Access-Request id=56
290 17.929500 192.168.1.4 192.168.1.2 RADIUS 86
Access-Reject id=56
296 18.007949 cc:37:ab:cb:f6:98 01:80:c2:00:00:03 EAP
60 Failure
Any ideas?
Thanks in advance,
Mike.
More information about the Freeradius-Devel
mailing list