(4) eap_tls: ERROR: TLS Alert write:fatal:unexpected_message

Michel Verhagen mike at guruce.com
Fri Jun 18 04:07:13 CEST 2021

> My suggestion is to use the test certs (so you don't care about secrecy), and then use Wireshark.  You can pass it the certs and passwords, then it will decode all of the TLS data for you.  That will tell you exactly what's going on behind the scenes.
I am using the test certs as generated by ./bootstrap. I am having 
trouble finding the right instructions for setting up Wireshark to 
decode EAPOL-TLS (over LAN, not WIFI). If you could provide some 
guidance, that would be much appreciated.

With whatever I have tried, wireshark always complains about the .pem 
files, passwords, etc. I have tried this:

Wireshark -> Edit -> Preferences -> Protocols -> TLS -> RSA keys list 
[Edit...] -> ip any, port 0, protocol data, key file ca.pem, password 
<nothing>, but wireshark pops up an error dialog stating "Can't load 
private key from ca.pem: can't import pem data: The requested data were 
not available". I don't think I can use the (Pre)-Master-Secret log 
filename (setting the "SSLKEYLOGFILE" environment variable) because that 
requires a webbrowser like Chrome. Anyway, any pointers on how to 
capture the right stuff and decode using the certs from Freeradius would 
be appreciated.

More information about the Freeradius-Devel mailing list