Problem with EAP-TLS and certificate

Stephane Brodeur sbrodeur63 at hotmail.com
Mon Jun 18 05:07:31 CEST 2012 

Hi,

I am a newbie to Freeradius and I am having a real hard time to implement EAP-TLS using self-signed certificate.

My certificate seems valid:

Server Certificate
[root at localhost CA]# openssl verify -CAfile /etc/pki/CA/cacert.pem xplab.pem
xplab.pem: OK

Client certificate
[root at localhost CA]# openssl verify -CAfile /etc/pki/CA/cacert.pem bob.pem
bob.pem: OK

When I run 

[root at localhost CA]# eapol_test -c /opt/EAP-RADIUS/eap-tls.conf -s testing123, I have the following results:

EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): cf cd 8c f0 17 49 11 13 d6 7d fe cb b1 65 00 1d 85 c2 ef a5 33 35 78 00 b8 a1 0a 9d 02 4b 06 45
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1  mismatch: 0
SUCCESS

using the following eap-tls.conf
#   eapol_test -c eap-tls.conf -s testing123
#
network={
        key_mgmt=IEEE8021X
        eap=TLS
    eapol_flags=0
        eap_workaround=0
        identity="bob"
        ca_cert="/etc/pki/CA/cacert.pem" 
        client_cert="/etc/pki/CA/bob.der" 
    private_key="/etc/pki/CA/bob.key"
        private_key_passwd="abc123"
    #
    #  Uncomment the following to perform server certificate validation.
    ca_cert="/etc/pki/CA/cacert.pem"

}

My problem is the following error message when running eapol_test

TLS: Trusted root certificate(s) loaded
OpenSSL: SSL_use_certificate_file (DER) --> OK
OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib
OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK
SSL: Private key loaded successfully
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected

I would like to know if this means that my certificates are not valid even if the eapol_test seems successful. I was not able to find any information on the meaning of these messages.  These messages are similar to what I have when I run the wpa_supplicant from my client machine. Since I am not able to authenticate from wpa_supplicant (failed to private key), I think that it might be possible that the certificate are wrong.


wpa_supplicant.conf
ap_scan=0
network={
        key_mgmt=WPA-EAP
        eap=TLS
        identity="bob"
        ca_cert="/etc/ssl/demoCA/cacert.pem" 
        client_cert="/etc/ssl/demoCA/certs/bob.pem" 
    private_key="/etc/ssl/demoCA/private/bob.key"
        private_key_passwd="abc123"
    eapol_flags=0
}

wpa_supplicant -c /etc/wpa_supplicant.conf -D wired -i br0


CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib
OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib
OpenSSL: pending error: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error
OpenSSL: pending error: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
OpenSSL: pending error: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
OpenSSL: pending error: error:140CB009:SSL routines:SSL_use_PrivateKey_file:PEM lib
OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: Failed to load private key


Thanks for your help
Stephane

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120617/b41d7ecc/attachment.html>

More information about the Freeradius-Users mailing list