CRL signature failure
zz zz
cajt at atlas.cz
Mon Feb 4 10:41:42 CET 2008
Hello,
I have a lot of strange messages in radius.log regarding CRL signature failure (randomly). When this message occur in the log, users can't be authenticated on EAP-TLS -> Login Incorrect. Problem is solved with full restart of freeradius service (service freeradius restart).
I'm running the latest version 1.1.7 of freeradius compiled from sources on RHEL3 with RHEL openssl-0.9.7a-33.24 (openssl is installed by up2date from RHEL3 repository). Every hour is CRL updated by external cron script together with c_rehash.
Mon Feb 4 09:13:24 2008 : Error: --> verify error:num=8:CRL signature failure
Mon Feb 4 09:13:24 2008 : Error: TLS Alert write:fatal:decrypt error
Mon Feb 4 09:13:24 2008 : Error: TLS_accept:error in SSLv3 read client certificate B
Mon Feb 4 09:13:24 2008 : Error: rlm_eap: SSL error error:04077068:rsa routines:RSA_verify:bad signature
Mon Feb 4 09:13:24 2008 : Error: rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
Mon Feb 4 09:13:24 2008 : Auth: Login incorrect: [Kris Jacob] (from client BEBRU765CZ101 port 1 cli 00-16-6F-61-5E-09)
eap.conf
--------
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
leap {
}
tls {
CA_path = ${raddbdir}/certs/
check_crl = yes
CA_file = ${raddbdir}/certs/CA.pem
crl_file = ${raddbdir}/certs/crl.pem
certificate_file = ${raddbdir}/certs/radius.pem
private_key_file = ${raddbdir}/certs/radius.key
dh_file = ${raddbdir}/certs/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_cert_cn = %{User-Name}
}
}
I can't found any similar problem in the radius discussion.
Thanks
---
Cajt
------------------------------------------
http://search.atlas.cz/
More information about the Freeradius-Users
mailing list