(4) eap_tls: ERROR: TLS Alert write:fatal:unexpected_message
Michel Verhagen
mike at guruce.com
Fri Jun 18 03:22:21 CEST 2021
I'm in the process of capturing the Wireshark traces with TLS
decryption, but I just noticed that Freeradius crashes (or terminated)
after a while and thought this would be an interesting find:
Ready to process requests
(334) Received Access-Request Id 210 from 192.168.1.2:1987 to
192.168.1.4:1812 length 108
(334) User-Name = "anonymous"
(334) NAS-Port = 24
(334) NAS-Port-Id = "24"
(334) Calling-Station-Id = "00-19-B8-01-79-D9"
(334) EAP-Message = 0x026a000e01616e6f6e796d6f7573
(334) NAS-Port-Type = Ethernet
(334) Message-Authenticator = 0xdfcd2705ee72509eecf6c3e600dcc672
(334) NAS-IP-Address = 192.168.1.2
(334) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(334) authorize {
(334) policy filter_username {
(334) if (&User-Name) {
(334) if (&User-Name) -> TRUE
(334) if (&User-Name) {
(334) if (&User-Name =~ / /) {
(334) if (&User-Name =~ / /) -> FALSE
(334) if (&User-Name =~ /@[^@]*@/ ) {
(334) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(334) if (&User-Name =~ /\.\./ ) {
(334) if (&User-Name =~ /\.\./ ) -> FALSE
(334) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(334) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(334) if (&User-Name =~ /\.$/) {
(334) if (&User-Name =~ /\.$/) -> FALSE
(334) if (&User-Name =~ /@\./) {
(334) if (&User-Name =~ /@\./) -> FALSE
(334) } # if (&User-Name) = notfound
(334) } # policy filter_username = notfound
(334) [preprocess] = ok
(334) [chap] = noop
(334) [mschap] = noop
(334) [digest] = noop
(334) suffix: Checking for suffix after "@"
(334) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(334) suffix: No such realm "NULL"
(334) [suffix] = noop
(334) eap: Peer sent EAP Response (code 2) ID 106 length 14
(334) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
the rest of authorize
(334) [eap] = ok
(334) } # authorize = ok
(334) Found Auth-Type = eap
(334) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(334) authenticate {
(334) eap: Peer sent packet with method EAP Identity (1)
(334) eap: Calling submodule eap_tls to process data
(334) eap_tls: (TLS) Initiating new session
(334) eap_tls: (TLS) Setting verify mode to require certificate from client
(334) eap: Sending EAP Request (code 1) ID 107 length 6
(334) eap: EAP session adding &reply:State = 0x5a501c065a3b1144
(334) [eap] = handled
(334) } # authenticate = handled
(334) Using Post-Auth-Type Challenge
(334) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(334) Challenge { ... } # empty sub-section is ignored
(334) session-state: Saving cached attributes
(334) Framed-MTU = 994
(334) Sent Access-Challenge Id 210 from 192.168.1.4:1812 to
192.168.1.2:1987 length 0
(334) EAP-Message = 0x016b00060d20
(334) Message-Authenticator = 0x00000000000000000000000000000000
(334) State = 0x5a501c065a3b114455a3bcc90888424a
(334) Finished request
Waking up in 4.9 seconds.
(335) Received Access-Request Id 65 from 192.168.1.2:1988 to
192.168.1.4:1812 length 320
(335) User-Name = "anonymous"
(335) NAS-Port = 24
(335) NAS-Port-Id = "24"
(335) Calling-Station-Id = "00-19-B8-01-79-D9"
(335) EAP-Message =
0x026b00d00d0016030300c5010000c1030349805d93404b82da96e2c4d11d21164899a0e804068aa661c4d4e66508f59a72000066c02cc02bc030c02f009f009e009d009cc02ec02dc032c031c027c023c029c025c028c024c02ac026c00ac005c009c004c007c002c008c003c014c00fc013c00ec011c00cc012c00d006b0067003900330016003d003c0035002f00050004000a00fb00fc00fd01000032000d0012001006030503040302030601050104010201000b00020100000a000e000c00190018001700150013001000170000
(335) State = 0x5a501c065a3b114455a3bcc90888424a
(335) NAS-Port-Type = Ethernet
(335) Message-Authenticator = 0x34e230e65cd0d63361bc0d3e17314e00
(335) NAS-IP-Address = 192.168.1.2
talloc: access after free error - first free may be at src/main/state.c:364
Bad talloc magic value - access after free
talloc abort: Bad talloc magic value - access after free
Backtrace of last 4294967295 frames:
Abort
More information about the Freeradius-Devel
mailing list