suddenly problem with certificates / error in SSLv3 read client certificate B
gmane-reply at stephan.manske-net.de
Tue Jan 22 22:49:58 CET 2013
Am 22.01.2013, 22:19 Uhr, schrieb Alan DeKok <aland at deployingradius.com>:
> Stephan Manske wrote:
>> Internal Program Version: OpenSSL 1.0.1c
> That might be the issue. It's hard to say. SSL is magic.
>> But I did this over three days before the errors occured. In the
>> meantime freeradius worked well.
> Maybe there's one client which *didn't* get login until after 3 days.
regrettably no. All my certificate clients are affected. And there is at
least one, namely my android, which connects every day. And this one has
no problems for 3 days after update, and now it has the problem.
>> So, here is a shorten output of radiusd -X (I hope I do not shorten
>> important things - btw, are there parts of such an debug output I should
>> keep secret?)
> Passwords, shared secrets.
What is about all this stuff:
EAP-Message = 0x010304000dc0000009b31603010031020000
State = 0x7d1f9f227f1c92c8e3xxxxxx
and so on?
>> [tls] --> verify return:1
>> --> verify error:num=7:certificate signature failure
>> [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
>> TLS Alert write:fatal:decrypt error
>> TLS_accept: error in SSLv3 read client certificate B
>> rlm_eap: SSL error error:04067084:rsa
>> routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus
> That's an SSL error. It looks like the certificate being presented is
> wrong, or the client has made a mistake in SSL.
Am I right when I suggest this certificate B is the CA certificate?
The certificate A has no problems (in the majority of cases I found via
google cert A was the problem).
> I would suggest manually verifying the certificates using the
> "openssl" command-line tool. It may be that the signatures are broken.
any hint where I can found more to read about what I should test? Which
parameters I have to use with openssl command?
> And the OpenSSL upgrade added code which checked for that, where the
> older version of OpenSSL didn't check.
> For SSL issues, we're completely at the mercy of OpenSSL. If it says
> "bad certificate", then no amount of poking FreeRADIUS will make it
> work. You've just got to create good certificates.
And there is no way to tell freeradius to tell openssl to give more debug
informations in this moment?
More information about the Freeradius-Users