EAP TLS testing using eapol_test

Naunidh S Chadha naunidh at gmail.com
Thu May 22 12:39:42 CEST 2008


Hi All

An update: I tried using OpenSSL version 9.8c,
but got exact same issues.


Wed May 21 19:31:19 2008 : Debug:   rlm_eap_tls: Done initial handshake
Wed May 21 19:31:19 2008 : Debug:   rlm_eap_tls: <<< TLS 1.0 Handshake
[length 038d], Certificate
Wed May 21 19:31:19 2008 : *Error: --> verify error:num=20:unable to get
local issuer certificate*
Wed May 21 19:31:19 2008 : Debug:   rlm_eap_tls: >>> TLS 1.0 Alert [length
0002], fatal unknown_ca
Wed May 21 19:31:19 2008 : Error: TLS Alert write:fatal:unknown CA
Wed May 21 19:31:19 2008 : Error:     TLS_accept:error in SSLv3 read client
certificate B
Wed May 21 19:31:19 2008 : Error: rlm_eap: SS L error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Wed May 21 19:31:19 2008 : Error: rlm_eap_tls: SSL_read failed in a system
call (-1), TLS session fails.
Wed May 21 19:31:19 2008 : Debug:   eaptls_process returned 13

On OpenSSL 9.8g, radiusd started giving
segmentation fault (may be it's some conflict).

I really need a breakthrough now, I don't think
there is anything left that I can do now, may be
use some other client or sever for my purpose :)

-
Naunidh
----------------------------------------------------------------------

Message: 1
Date: Wed, 21 May 2008 20:15:06 +0530
From: "Naunidh S Chadha" <naunidh at gmail.com>
Subject: EAP TLS testing using eapol_test
To: freeradius-users at lists.freeradius.org
Message-ID:
       <4b1838520805210745u1a014f31s79bad2914b8602fe at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hi All

I am attempting to authenticate an EAP-TLS using eapol_test tool against
FreeRADIUS Version 2.0.3.
>From last two days I am getting stumped by certificate issues. Currently I
have the following error in my
Freeradius log that seems to be the problem.


Wed May 21 19:31:19 2008 : Debug:   rlm_eap_tls: Done initial handshake
Wed May 21 19:31:19 2008 : Debug:   rlm_eap_tls: <<< TLS 1.0 Handshake
[length 038d], Certificate
Wed May 21 19:31:19 2008 : *Error: --> verify error:num=20:unable to get
local issuer certificate*
Wed May 21 19:31:19 2008 : Debug:   rlm_eap_tls: >>> TLS 1.0 Alert [length
0002], fatal unknown_ca
Wed May 21 19:31:19 2008 : Error: TLS Alert write:fatal:unknown CA
Wed May 21 19:31:19 2008 : Error:     TLS_accept:error in SSLv3 read client
certificate B
Wed May 21 19:31:19 2008 : Error: rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Wed May 21 19:31:19 2008 : Error: rlm_eap_tls: SSL_read failed in a system
call (-1), TLS session fails.
Wed May 21 19:31:19 2008 : Debug:   eaptls_process returned 13

>From searching around the net I found that one issue could be that my SSL
does not understand
that server.pem is a trusted CA. To make that happen I created hashes using
the following command,

*ln -s client.pem `openssl x509 -hash -noout 5~-in client.pem`.0*

for ca.pem/server.pem and client.pem. I then pasted the hashes and .pem
files into /usr/share/ssl/certs
folder too (out of desperation :) ). After this if I ran the command
"openssl verify *.pem" in .../raddb/certs
folder, it would return OK for all pem files. IMO this is the best to test
that all certificates are in order.
I also used the command "openssl verify -CApath . *.pem" (picked it up from
Makefile) and it returned OK too.

I must add here that my setup is totally as per the docs/config file
explanations. The radiusd.conf is configured to
use EAP as per the default config, and the certs are made by running the
make command in raddb/certs folder.
I commented out bootstrap for my exploration. I ran "make client.pem" to
create client certificates.

The supplicant client uses following configuration file:

network={
       ssid="1x-test"
       key_mgmt=WPA-EAP
       eap=TLS
       identity="user at example.com"
       ca_cert="/usr/local/etc/raddb/certs/ca.pem"
       client_cert="/usr/local/etc/raddb/certs/user at example.com.pem"
       private_key="/usr/local/etc/raddb/certs/client.key"
       private_key_passwd="whatever"
       eapol_flags=3
}


Since the logs are big enough to be a torture for people reading in digest
mode, I have put them at
http://naunidh.googlepages.com/logs

It has output of radiusd -XXX followed by logs of eapol_test tool.

My OpenSSL version is 9.7a (supported by Freeradius), My next step would be
to upgrade this but it does not
look like an OpenSSL issue, Upgrading this would be a pain at the moment as
lot of people are dependent on the
setup, but this is the only recourse left from my side.

Any help would be greatly appreciated.
Sorry for the long mail, but I could not shorten it any more without missing
something important.

Thanks All

-
Naunidh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080522/25985faf/attachment.html>


More information about the Freeradius-Users mailing list