EAP-TLS Authentication fails( TLS_accept: error in SSLv3 read client certificate B)

John Dennis jdennis at redhat.com
Wed Nov 27 16:47:52 CET 2013

On 11/27/2013 10:15 AM, Esma Yalcinkaya wrote:
> My application runs on glassfish server, so I import the cert files to
> keystore. Also tried to import cert files to cacerts
> directory(/java/jdk1.6.0_34/jre/lib/security/cacerts) but it did not work.
> I import the server.crt too, and try to authenticate now, but nothing
> has changed.
> I am continuing to debug the logs(server logs, freeradius logs etc). 
> Let me ask a question, I am new at freeradius. Although this error
> occurs for SSLv3 read client certificate B, there is no error occurance
> for certificate A like below.
> [tls]     TLS_accept: SSLv3 write certificate request A
> [tls]     TLS_accept: SSLv3 flush data
> [tls]     TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> I did not unterstand this log, what does it mean "need to read more data"?

It means exactly what Alan said below. Its waiting for the peer to send
a client certificate.

TLS works by performing a number of exchanges in what is called
"handshaking". The handshake exchanges negotiate the type of TLS
connection which is going to be established. Certificate exchange is
part of the handshake process. A server certificate is always sent to
the client so the client can validate the server. This is known as
server only validation, the server does not care who the client is. But
TLS is also capable of mutual authentication where the client must
authenticate to the server as well so the server knows who the client
is. This is the basis of eap-tls, it's using the client TLS validation
as an authentication of the client. During the TLS handshake the server
will send a request to the client saying "please send me your
certificate". That's what is happening here, the server has made a
request for a client cert and now it's waiting to read that response
from the client. If that response does not arrive then this is not a
FreeRADIUS issue, it's a problem with your eap-tls client.

>     >     TLS_accept: error in SSLv3 read client certificate B
>     > rlm_eap: SSL error error:140890C7:SSL
>     > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
>       The end user system isn't sending over a client certificate.


More information about the Freeradius-Users mailing list