(4) eap_tls: ERROR: TLS Alert write:fatal:unexpected_message

Alan DeKok aland at deployingradius.com
Wed Jun 16 15:28:59 CEST 2021

On Jun 16, 2021, at 12:33 AM, Michel Verhagen <mike at guruce.com> wrote:
> Full FreeRadius 3.0.24 output below, followed by the output of hostap with WolfSSL on CE (if that helps analyze the problem).

  Hmm... that's unfortunately not overly helpful.

  Which version of OpenSSL are you using on the server side?  Older versions of OpenSSL may not deal well with certain handshake messages.

  And the debug output from WolfSSL is pretty useless.  Tons of "parsing ASN1" stuff, which I don't care about.  We can look at the certs.  What I need to know is the state changes, and *why* WolfSSL is doing things.  That information seems to be fairly opaque.

  My suggestion is to use the test certs (so you don't care about secrecy), and then use Wireshark.  You can pass it the certs and passwords, then it will decode all of the TLS data for you.  That will tell you exactly what's going on behind the scenes.

  For now, all I can say is that this is very opaque.  My guess is either an OpenSSL issue, or a WolfSSL issue.  We test very build of FreeRADIUS with eapol_test, so we know that the basics work.  More unusual systems are a bit more unknown.

  Alan DeKok.

More information about the Freeradius-Devel mailing list