(4) eap_tls: ERROR: TLS Alert write:fatal:unexpected_message

Alan DeKok aland at deployingradius.com
Mon Apr 12 13:31:43 CEST 2021

On Apr 12, 2021, at 3:30 AM, Michel Verhagen <mike at guruce.com> wrote:
> I'm integrating hostap's EAP library and its EAP supplicant state machine on an embedded device and am testing against the FreeRADIUS server. I've got MD5 authentication going (yes, I know this is open to attacks) and I have EAP-TTLS going as well. However, with EAP-TLS I'm getting the error as per subject of this email. I'm getting the same error if I set the EAP-TTLS config option "require_client_cert = yes".

  I'd grab the v3.0.x branch from GitHub.  I've gone through the TLS messages, and cleaned them up a LOT.  i.e. they're now fairly understandable, and contain more information.

  I don't think that will fix this issue, but it will definitely help narrow it down.

> It definitely is a problem with the certificate, but I don't know what (or how to get more information about this). I created the test certificates and copied the ca.pem file to the device with my hostap EAP library and EAP supplicant state machine.

  How did you create the certs?  FreeRADIUS has scripts in raddb/scripts which work.  Doing it yourself might work, or might not.
>   routines:ossl_statem_server_read_transition:unexpected message

  See https://www.opencoverage.net/openssl/index_html/source_4.html

  Look for "UNEXPECTED_MESSAGE".  There are a lot of situations which can product this.

> The wireshark log (for EAP-TLS) looks like this:

  Without more of  actual TLS data decoded, that doesn't help.

  Use the v3.0.x branch, and you should get clearer messages from FreeRADIUS.

  Alan DeKok.

More information about the Freeradius-Devel mailing list