suddenly problem with certificates / error in SSLv3 read client certificate B

Stephan Manske gmane-reply at stephan.manske-net.de
Wed Jan 23 19:53:53 CET 2013 

Am 22.01.2013, 22:19 Uhr, schrieb Alan DeKok <aland at deployingradius.com>:
> Stephan Manske wrote:

>> [tls] --> verify return:1
>> --> verify error:num=7:certificate signature failure
>> [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
>> TLS Alert write:fatal:decrypt error
>>     TLS_accept: error in SSLv3 read client certificate B
>> rlm_eap: SSL error error:04067084:rsa
>> routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus
>
>   That's an SSL error.  It looks like the certificate being presented is
> wrong, or the client has made a mistake in SSL.

I think I found the issue:

Yes, it is a ssl problem, the ca.key and all the certs are incompatible.

And no, it is not only a ssl problem, it is a freeradius problem, too:


I made a new client certificate and this can be verified:

#openssl verify -verbose -CAfile ca.pem 0B.pem
0B.pem: OK

I made a next one:

openssl verify -verbose -CAfile ca.pem 0C.pem
0C.pem: OK

but, the last one now:

)# openssl verify -verbose -CAfile ca.pem 0B.pem
0B.pem: C = DE, ST = Somewhere, O = Manske EIS, OU = Radius_Managment, CN  
= xxxx Smart, emailAddress = user at mail.example
error 7 at 0 depth lookup:certificate signature failure
3074770568:error:0407006A:rsa  
routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
3074770568:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding  
check failed:rsa_eay.c:721:
3074770568:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP  
lib:a_verify.c:215:


IMHO these patch
https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile

with

+ca.key ca.pem: ca.cnf index.txt serial

makes ca.key dependant to the date of index.txt and serial

Both files are updated every time a new client cert is build. IMHO.

And so, I have a look at the cert generation:

# touch serial
# make client
openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
Generating a 2048 bit RSA private key
.....+++
...........................................................+++
writing new private key to 'client.key'
-----
openssl req -new -x509 -keyout ca.key -out ca.pem \
         -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config  
./ca.cnf
Generating a 2048 bit RSA private key
.............................................................+++
........................................................................................+++
writing new private key to 'ca.key'

# touch serial
# make client
openssl req -new -x509 -keyout ca.key -out ca.pem \
         -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config  
./ca.cnf
Generating a 2048 bit RSA private key
.........................................................................................+++
..................+++
writing new private key to 'ca.key'
-----

and so on ...


With this new generated ca.key the older certs are not able to validate  
anymore. But I do not think, that it is wanted to generate a new ca.key  
every time, or am I wrong?



This looks similar to

https://github.com/FreeRADIUS/freeradius-server/commit/7394b88e4725d47727338400665396d3e96ac1a2#raddb/certs/Makefile

69 	  	-server.crt: server.csr ca.key ca.pem index.txt serial
69 	   +server.crt: server.csr ca.key ca.pem

before your patch I made this with an order-only prerequisites "|" in my  
private source:

server.crt: server.csr ca.key ca.pem | index.txt serial

I did this for the mentioned parts now, too

######################################################################
#
#  Create a new self-signed CA certificate
#
######################################################################
ca.key ca.pem: ca.cnf | index.txt serial
         openssl req -new -x509 -keyout ca.key -out ca.pem \
                 -days $(CA_DEFAULT_DAYS) -config ./ca.cnf



and it works:

# touch serial
# make client
openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
Generating a 2048 bit RSA private key
.....................+++
.......+++
writing new private key to 'client.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key `grep  
output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt  
-extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
...

# touch serial
# make client
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key `grep  
output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt  
-extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
Certificate Details:

even:

# touch serial
# make ca.key
make: `ca.key' is up to date.


I hope my thoughts are right and helpfull.


Ciao, Stephan

More information about the Freeradius-Users mailing list