ppp and eap-tls

[Frank]

Hi,

I'm using freeradius for EAP-TLS authentication with my WPA NAS, with MS-CHAPv2 for ppp auth (in a L2TP/IPSEC VPN) and for a while for EAP-TLS for ppp auth (about half a year ago).

However, without me consciously changing anything in my setup (running Debian Squeeze, connecting clients run MS Windows Vista), EAP-TLS for ppp auth no longer works since I've tested it again recently.

I now get the following error in my radius log on an auth attempt:

Error: TLS Alert write:fatal:decrypt error
Error:     TLS_accept: failed in SSLv3 read certificate verify B
Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.

Now there's several issues:
- I don't know what I changed which caused this behaviour (maybe an openssl update in Squeeze? Something changes in Windows Vista?)
- the client certificates are valid (tested with openssl cli), and work fine when using for WPA auth
- I don't really know what this error means
- I can't find a solution for it. I've tried: 2048 bit (vs. 4096 bit) RSA certs and the extensions for XP for both the server and client certs

Again, the same certificates work fine for WPA auth

I hope someone can shed some light onto this issue, or how to pin down the exact cause of the 'rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01' error.

Regards,
Frank