(4) eap_tls: ERROR: TLS Alert write:fatal:unexpected_message

Alan DeKok aland at deployingradius.com
Fri Jun 18 23:54:21 CEST 2021

On Jun 17, 2021, at 10:07 PM, Michel Verhagen <mike at guruce.com> wrote:
> I am using the test certs as generated by ./bootstrap. I am having trouble finding the right instructions for setting up Wireshark to decode EAPOL-TLS (over LAN, not WIFI). If you could provide some guidance, that would be much appreciated.

  It's been a while since I did it.  But I don't recall it being complex.

> With whatever I have tried, wireshark always complains about the .pem files, passwords, etc. I have tried this:
> Wireshark -> Edit -> Preferences -> Protocols -> TLS -> RSA keys list [Edit...] -> ip any, port 0, protocol data, key file ca.pem, password <nothing>,

  No, you want to load the server cert, and the servers private key.  The CA cert isn't helpful here.

> but wireshark pops up an error dialog stating "Can't load private key from ca.pem: can't import pem data: The requested data were not available". I don't think I can use the (Pre)-Master-Secret log filename (setting the "SSLKEYLOGFILE" environment variable) because that requires a webbrowser like Chrome. Anyway, any pointers on how to capture the right stuff and decode using the certs from Freeradius would be appreciated.

  I'll take a look.  But you should be able to just put the server cert && private key into a file, load that, and enter the password.  It should then decrypt everything fine.

  Alan DeKok.

More information about the Freeradius-Devel mailing list