EAP-TLS Authentication fails( TLS_accept: error in SSLv3 read client certificate B)

Esma Yalcinkaya esmayalcinkayaa at gmail.com
Wed Nov 27 19:11:36 CET 2013

Thanks for your replies.
Not sure, maybe the problem is importing the client cert file via keytool.
Because I create the Radius Client in code and send authentication request.
I will look for how to set client cert file in my code.

Thanks & Regards,

On Wed, Nov 27, 2013 at 5:47 PM, John Dennis <jdennis at redhat.com> wrote:

> On 11/27/2013 10:15 AM, Esma Yalcinkaya wrote:
> > My application runs on glassfish server, so I import the cert files to
> > keystore. Also tried to import cert files to cacerts
> > directory(/java/jdk1.6.0_34/jre/lib/security/cacerts) but it did not
> work.
> >
> > I import the server.crt too, and try to authenticate now, but nothing
> > has changed.
> >
> > I am continuing to debug the logs(server logs, freeradius logs etc).
> >
> > Let me ask a question, I am new at freeradius. Although this error
> > occurs for SSLv3 read client certificate B, there is no error occurance
> > for certificate A like below.
> >
> > [tls]     TLS_accept: SSLv3 write certificate request A
> > [tls]     TLS_accept: SSLv3 flush data
> > [tls]     TLS_accept: Need to read more data: SSLv3 read client
> > certificate A
> >
> > I did not unterstand this log, what does it mean "need to read more
> data"?
> It means exactly what Alan said below. Its waiting for the peer to send
> a client certificate.
> TLS works by performing a number of exchanges in what is called
> "handshaking". The handshake exchanges negotiate the type of TLS
> connection which is going to be established. Certificate exchange is
> part of the handshake process. A server certificate is always sent to
> the client so the client can validate the server. This is known as
> server only validation, the server does not care who the client is. But
> TLS is also capable of mutual authentication where the client must
> authenticate to the server as well so the server knows who the client
> is. This is the basis of eap-tls, it's using the client TLS validation
> as an authentication of the client. During the TLS handshake the server
> will send a request to the client saying "please send me your
> certificate". That's what is happening here, the server has made a
> request for a client cert and now it's waiting to read that response
> from the client. If that response does not arrive then this is not a
> FreeRADIUS issue, it's a problem with your eap-tls client.
> >     >     TLS_accept: error in SSLv3 read client certificate B
> >     > rlm_eap: SSL error error:140890C7:SSL
> >     > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
> certificate
> >
> >       The end user system isn't sending over a client certificate.
> --
> John
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131127/f059e870/attachment.html>

More information about the Freeradius-Users mailing list