(4) eap_tls: ERROR: TLS Alert write:fatal:unexpected_message

Alan DeKok aland at deployingradius.com
Mon Jun 21 14:03:38 CEST 2021

On Jun 17, 2021, at 10:07 PM, Michel Verhagen <mike at guruce.com> wrote:
> With whatever I have tried, wireshark always complains about the .pem files, passwords, etc.

  I ran into the same thing. No matter what I do, wireshark is unable to open the PEM files.  This is disappointing.  IIRC it used to work.

> I have tried this:
> Wireshark -> Edit -> Preferences -> Protocols -> TLS -> RSA keys list [Edit...] -> ip any, port 0, protocol data, key file ca.pem, password <nothing>, but wireshark pops up an error dialog stating "Can't load private key from ca.pem: can't import pem data: The requested data were not available". I don't think I can use the (Pre)-Master-Secret log filename (setting the "SSLKEYLOGFILE" environment variable) because that requires a webbrowser like Chrome. Anyway, any pointers on how to capture the right stuff and decode using the certs from Freeradius would be appreciated.

  I pushed some changes which add some more information to debug 4 (radiusd -Xxx)

* print out a hex dump of the TLS messages, this gives more information on what's going on

* print out TLS information needed by Wireshark to decode the packets, as per: https://wiki.wireshark.org/TLS

Sun Jun 20 09:24:42 2021 : Debug: (20) eap_ttls: (TLS) KEYLOG: CLIENT_RANDOM B3C3EF6D1A8D9C0C0AB670824767991DC3E309AD47D317942C1A5CAF670A8E07 2C6B1E41C4FEEDABCF58568539E9B48DA2C79A2C1CBAE402FED4428BD59442A8DBE50553EDC5B927BEE5A0DA8AC90120

  In *theory* you should be able to grab the text after "KEYLOG:", place it into a file, and then have Wireshark load it.  However, that also doesn't work for me.  i.e. it never complains about the file, but also never decrypts any of the TLS data.


  Alan DeKok.

More information about the Freeradius-Devel mailing list