[EAP-TLS Windows 7] Problem with chain certificate on the client side
Phil Mayers
p.mayers at imperial.ac.uk
Mon Apr 30 09:44:19 CEST 2012
On 04/30/2012 07:29 AM, jinx_20 wrote:
> Phil, can you look at the certs I provided?
>
They look ok to me. There's no obvious reason they shouldn't verify, and
quick tests as the CLI all passed. Are you sure these are functionally
*identical* to the real ones you're using?
I've checked over the FR verify code; it is a pretty standard verify
callback, and doesn't have any logic errors. It's a bit of a shame the
FR verify callback doesn't explicitly log the subject/issuer/depth
values for failures, and just logs the error; I wonder if that is worth
fixing (and if it would tell us anything more in this case). But I'm
fairly sure FR is doing nothing wrong.
Therefore, either your cert chain is mangled in some way OpenSSL doesn't
like, OpenSSL is buggy or the client is buggy. Or something else weird
is going on.
I don't have any suggestions I'm afraid. If you're familiar with the TLS
protocol, you could use wireshark to capture and inspect an EAP-TLS
conversation. The dissector will reassemble the TLS exchange, and you
can check the correct certs are being sent over the wire in the correct
order.
More information about the Freeradius-Users
mailing list