suddenly problem with certificates / error in SSLv3 read client certificate B
Stephan Manske
gmane-reply at stephan.manske-net.de
Wed Jan 23 19:53:53 CET 2013
Am 22.01.2013, 22:19 Uhr, schrieb Alan DeKok <aland at deployingradius.com>:
> Stephan Manske wrote:
>> [tls] --> verify return:1
>> --> verify error:num=7:certificate signature failure
>> [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
>> TLS Alert write:fatal:decrypt error
>> TLS_accept: error in SSLv3 read client certificate B
>> rlm_eap: SSL error error:04067084:rsa
>> routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus
>
> That's an SSL error. It looks like the certificate being presented is
> wrong, or the client has made a mistake in SSL.
I think I found the issue:
Yes, it is a ssl problem, the ca.key and all the certs are incompatible.
And no, it is not only a ssl problem, it is a freeradius problem, too:
I made a new client certificate and this can be verified:
#openssl verify -verbose -CAfile ca.pem 0B.pem
0B.pem: OK
I made a next one:
openssl verify -verbose -CAfile ca.pem 0C.pem
0C.pem: OK
but, the last one now:
)# openssl verify -verbose -CAfile ca.pem 0B.pem
0B.pem: C = DE, ST = Somewhere, O = Manske EIS, OU = Radius_Managment, CN
= xxxx Smart, emailAddress = user at mail.example
error 7 at 0 depth lookup:certificate signature failure
3074770568:error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
3074770568:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding
check failed:rsa_eay.c:721:
3074770568:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP
lib:a_verify.c:215:
IMHO these patch
https://github.com/FreeRADIUS/freeradius-server/commit/2d3f119cd8d9e99028f968db1ee108eb6f05db09#raddb/certs/Makefile
with
+ca.key ca.pem: ca.cnf index.txt serial
makes ca.key dependant to the date of index.txt and serial
Both files are updated every time a new client cert is build. IMHO.
And so, I have a look at the cert generation:
# touch serial
# make client
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
Generating a 2048 bit RSA private key
.....+++
...........................................................+++
writing new private key to 'client.key'
-----
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config
./ca.cnf
Generating a 2048 bit RSA private key
.............................................................+++
........................................................................................+++
writing new private key to 'ca.key'
# touch serial
# make client
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config
./ca.cnf
Generating a 2048 bit RSA private key
.........................................................................................+++
..................+++
writing new private key to 'ca.key'
-----
and so on ...
With this new generated ca.key the older certs are not able to validate
anymore. But I do not think, that it is wanted to generate a new ca.key
every time, or am I wrong?
This looks similar to
https://github.com/FreeRADIUS/freeradius-server/commit/7394b88e4725d47727338400665396d3e96ac1a2#raddb/certs/Makefile
69 -server.crt: server.csr ca.key ca.pem index.txt serial
69 +server.crt: server.csr ca.key ca.pem
before your patch I made this with an order-only prerequisites "|" in my
private source:
server.crt: server.csr ca.key ca.pem | index.txt serial
I did this for the mentioned parts now, too
######################################################################
#
# Create a new self-signed CA certificate
#
######################################################################
ca.key ca.pem: ca.cnf | index.txt serial
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf
and it works:
# touch serial
# make client
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
Generating a 2048 bit RSA private key
.....................+++
.......+++
writing new private key to 'client.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep
output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt
-extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
...
# touch serial
# make client
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep
output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt
-extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
even:
# touch serial
# make ca.key
make: `ca.key' is up to date.
I hope my thoughts are right and helpfull.
Ciao, Stephan
More information about the Freeradius-Users
mailing list