Problem setting up EAP-TLS with hostap
Chris Anderson
cjanderson at yandex.com
Sun Jan 12 23:32:17 CET 2014
Thank you all. I got it working but using the certificates that I have for openvpn.
The strange thing is that when you actually do a dump of the key using the build system (Makefiles and cnf) in the gentoo /etc/raddb/certs directory the length is zero. There doesn't appear to be a key in there.
But all I needed to know was that I was heading in the right direction.
Kind regards
Chris
12.01.2014, 13:12, "Alan DeKok" <aland at deployingradius.com>:
> Chris Anderson wrote:
>
>> When I run freeradius with the -X option I get the following log
>
> Attaching it in-line or as a ".txt" file would have been friendlier.
>
> Anyways, the key lines are:
>
> [tls] <<< TLS 1.0 Alert [length 0002], fatal decrypt_error
> TLS Alert read:fatal:decrypt error
> TLS_accept: failed in SSLv3 read client certificate A
> rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1
> alert decrypt error
>
> Your certificates / CA don't match. SSL isn't magic, but it fragile.
>
> Follow the instructions on my web site: http://deployingradius.com/
>
> Once you have it working with test certificates, then follow the
> *same* procedure with real certificates. It *will* work.
>
> The only way to keep SSL happy is a careful application of procedure.
> If you skip a step, then the certificate chain doesn't make sense to
> SSL, and it will fail.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list