suddenly problem with certificates / error in SSLv3 read client certificate B

Stephan Manske gmane-reply at
Tue Jan 22 22:49:58 CET 2013

Am 22.01.2013, 22:19 Uhr, schrieb Alan DeKok <aland at>:
> Stephan Manske wrote:

>> to
>> Internal Program Version: OpenSSL  1.0.1c
>   That might be the issue.  It's hard to say.  SSL is magic.
>> But I did this over three days before the errors occured. In the
>> meantime freeradius worked well.
>   Maybe there's one client which *didn't* get login until after 3 days.

regrettably no. All my certificate clients are affected. And there is at  
least one, namely my android, which connects every day. And this one has  
no problems for 3 days after update, and now it has the problem.

>> So, here is a shorten output of radiusd -X (I hope I do not shorten
>> important things - btw, are there parts of such an debug output I should
>> keep secret?)
>   Passwords, shared secrets.

What is about all this stuff:

EAP-Message = 0x010304000dc0000009b31603010031020000
State = 0x7d1f9f227f1c92c8e3xxxxxx

and so on?

>> [tls] --> verify return:1
>> --> verify error:num=7:certificate signature failure
>> [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
>> TLS Alert write:fatal:decrypt error
>>     TLS_accept: error in SSLv3 read client certificate B
>> rlm_eap: SSL error error:04067084:rsa
>> routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus
>   That's an SSL error.  It looks like the certificate being presented is
> wrong, or the client has made a mistake in SSL.

Am I right when I suggest this certificate B is the CA certificate?

The certificate A has no problems (in the majority of cases I found via  
google cert A was the problem).

>   I would suggest manually verifying the certificates using the
> "openssl" command-line tool.  It may be that the signatures are broken.

any hint where I can found more to read about what I should test? Which  
parameters I have to use with openssl command?

>  And the OpenSSL upgrade added code which checked for that, where the
> older version of OpenSSL didn't check.

>   For SSL issues, we're completely at the mercy of OpenSSL.  If it says
> "bad certificate", then no amount of poking FreeRADIUS will make it
> work.  You've just got to create good certificates.

And there is no way to tell freeradius to tell openssl to give more debug  
informations in this moment?

Ciao, Stephan

More information about the Freeradius-Users mailing list