suddenly problem with certificates / error in SSLv3 read client certificate B

Alan DeKok aland at deployingradius.com
Tue Jan 22 22:19:53 CET 2013


Stephan Manske wrote:
> first of all: this should not be a "how must I config my freeradius to
> work?" problem. These installation with these certificates and these
> config worked for over 8 month very well. And suddenly I got the problem.

  OK.

> changes before the problem occurs: I updated openssl-packages from
> 
> Internal Program Version: OpenSSL  1.0.0j
> also included the old version 0.9.7m
> also included the old version 0.9.8x
> 
> to
> 
> Internal Program Version: OpenSSL  1.0.1c

  That might be the issue.  It's hard to say.  SSL is magic.

> But I did this over three days before the errors occured. In the
> meantime freeradius worked well.

  Maybe there's one client which *didn't* get login until after 3 days.

> So, here is a shorten output of radiusd -X (I hope I do not shorten
> important things - btw, are there parts of such an debug output I should
> keep secret?)

  Passwords, shared secrets.

> [tls] --> verify return:1
> --> verify error:num=7:certificate signature failure
> [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
> TLS Alert write:fatal:decrypt error
>     TLS_accept: error in SSLv3 read client certificate B
> rlm_eap: SSL error error:04067084:rsa
> routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus

  That's an SSL error.  It looks like the certificate being presented is
wrong, or the client has made a mistake in SSL.

  I would suggest manually verifying the certificates using the
"openssl" command-line tool.  It may be that the signatures are broken.
 And the OpenSSL upgrade added code which checked for that, where the
older version of OpenSSL didn't check.

  For SSL issues, we're completely at the mercy of OpenSSL.  If it says
"bad certificate", then no amount of poking FreeRADIUS will make it
work.  You've just got to create good certificates.

  Alan DeKok.


More information about the Freeradius-Users mailing list