suddenly problem with certificates / error in SSLv3 read client certificate B

Stephan Manske gmane-reply at stephan.manske-net.de
Tue Jan 22 20:50:26 CET 2013 

Hello!

I have a huge problem with freeradius 2.2.0  on my eisfair server  
(www.eisfair.org) and users using certificates to authenticate.

first of all: this should not be a "how must I config my freeradius to  
work?" problem. These installation with these certificates and these  
config worked for over 8 month very well. And suddenly I got the problem.

Every client with user/pass works still fine.

The problem is about the users with certificates (windows xp and android).

the certificates are not outdated:

list of active certificates:
V 13-01-28 13:16:17 Z           01      unknown
   /C=DE/ST=Somewhere/O=Manske EIS/OU=Radius_Managment/CN=Manske  
Radius/emailAddress=xxx
(the server certificate)

V 14-02-17 13:16:54 Z           02      unknown
   /C=DE/ST=Somewhere/O=Manske EIS/OU=Radius_Managment/CN=User  
Name/emailAddress=xxx
(one of the problematic user certificates)


I tried it with check_crl = yes and no



changes before the problem occurs: I updated openssl-packages from

Internal Program Version: OpenSSL  1.0.0j
also included the old version 0.9.7m
also included the old version 0.9.8x

to

Internal Program Version: OpenSSL  1.0.1c

also included the old version 0.9.8x



But I did this over three days before the errors occured. In the meantime  
freeradius worked well.


So, here is a shorten output of radiusd -X (I hope I do not shorten  
important things - btw, are there parts of such an debug output I should  
keep secret?)


Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.x.x port 2049, id=2,  
length=141
         User-Name = "User Name"
         NAS-IP-Address = 192.168.x.x

# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "User Name", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry User Name at line 8
[files]         expand: Hello, %{User-Name} -> Hello, User Name
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.   
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled

[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.x.x port 2049
         Reply-Message = "Hello, User Name"
         EAP-Message = 0x010200060d20
         Message-Authenticator = 0x00000000000000000000000000xx
         State = 0x7d1f9f227c1d92c8e39xxxxxxxxx
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.x.x port 2049, id=2,  
length=227


[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry User Name at line 8
[files]         expand: Hello, %{User-Name} -> Hello, User Name
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
   TLS Length 77
[tls] Length Included
[tls] eaptls_verify returned 11
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0048], ClientHello
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 08bb], Certificate
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00b8], CertificateRequest
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client  
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
   TLS Length 77
[tls] Length Included
[tls] eaptls_verify returned 11
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0048], ClientHello
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 08bb], Certificate
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00b8], CertificateRequest
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client  
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.x.x port 2049
         Reply-Message = "Hello, User Name"
         EAP-Message =  
0x010304000dc0000009b316030100310200002d030150e4ae0ed21d8
         EAP-Message =  
0x3017060355040313104d616e736b6520526164697573204341301e1
         EAP-Message =  
0xce7ab5f8c7edc84656371d677436108b21313e1ea308f55566b8684
         EAP-Message =  
0x25040c300a06082b06010505070301300d06092a864886f70d01010
         EAP-Message = 0xb12f24c809d9d
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x7d1f9f227f1c92c8e3xxxxxx
Finished request 2.
Going to the next request

[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated

Sending Access-Challenge of id 2 to 192.168.x.x port 2049
         Reply-Message = "Hello, User Name"
         EAP-Message = 0x010404000dc0000009b3301
         EAP-Message = 0x3130323136313231325a17:
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 2 to 192.168.x.x port 2049
         Reply-Message = "Hello, User Name"
         EAP-Message = 0x010404000dc0000009bxxxxxx
         EAP-Message = 0xfdf4cec951566e50d17
         EAP-Message = 0xca21c0f495c75a3a13d
         EAP-Message = 0x01ff300d06092a86488
         Message-Authenticator = 0x00000000000000000000000000000000
         State = 0x7d1f9f227e1b92c8e39
Finished request 3.
Going to the next request

and so on ...

but here it might be important:

# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 03de], Certificate
[tls] chain-depth=1,
[tls] error=0
[tls] --> User-Name = User Name
[tls] --> BUF-Name = Radius CA
[tls] --> subject = /C=DE/ST=Somewhere/L=Somewhere/O=Manske  
EIS/OU=Radius_Managment/emailAddress=radius at xxxx
[tls] --> issuer  = /C=DE/ST=Somewhere/L=Somewhere/O=Manske  
EIS/OU=Radius_Managment/emailAddress=radius at xxxx
[tls] --> verify return:1
--> verify error:num=7:certificate signature failure
[tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert write:fatal:decrypt error
     TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data  
too large for modulus
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (certificate signature failure): [User Name/<via Auth-Type  
= EAP>] (from client xxxx
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> User Name
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 2 seconds
Going to the next request
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 2 to 192.168.x.x port 2049



TIIA,

Stephan

More information about the Freeradius-Users mailing list