TLS Alert: Fatal: Protocol version

Soham T. Aurangabadkar sohama4 at ccs.neu.edu
Wed Jul 30 22:06:21 CEST 2014 

Hello, I am getting a strange error in my FreeRADIUS debug output, which I have posted below. I have built the client using C, OpenSSL and raw sockets, and uses the 'user at example.com.pem' certificate generated by the scripts provided in /raddb/certs. Can you please tell me where am I going wrong? It is an error at the penultimate step of the EAP-TLS exchange. Thank you ! :)

- Soham



rad_recv: Access-Request packet from host 192.168.1.11 port 62733, id=254, length=829
	User-Name = "sohama411111"
	Called-Station-Id = "ec-e5-55-9c-c3-b6"
	Calling-Station-Id = "00:24:9b:0c:2f:6e"
	NAS-Identifier = "ec-e5-55-9c-c3-ac"
	NAS-IP-Address = 192.168.1.11
	NAS-Port = 6
	Framed-MTU = 1500
	NAS-Port-Type = Ethernet
	State = 0xa2a1f780a7a7fad11c1fdcdf4905f39b
	EAP-Message = 0x020602a00d8000000a825997f20225258bb1ff09cf6b173f27777f32ed2ef263a69ea7500fa0df24d984336cfaa193a9be78c06dc15278b6ef4b7cd930d166dd8427b3d155235edc0ce87fedcb214f913db8080089ccb1c651ec2042c9f1f8438926650157af19f77f059a5be97bb32f4c522230719d03a1f6553f3e311249f84eb6bb6740d218c346fe6fb5e08a471fe90bce818d62480b66b82412ff00a1fde2d7e9e2ef2c09d9dcddb20923c9d911fc13aa74742728bf7a2228a1a3de6cb4e9375b66638d73dee5d6dfde7144f8d701a9e16304225c983231cb1bbf1d67f713eb13d5ad916e404c71160301004610000042410414242a58afc24797
	EAP-Message = 0x1adbed2ab769f9d1840a5956aad1bc07ec4de29645f706568bdeb474f455be264384b32a21ef52fa83a0ce73f1eb065a0a67cde112c2082916030101060f0001020100cb37b6b39e07acbe5db0119c5f7bc8d2aef80ae74c33c1c7c4e3a85bdb9d98a0c540d9d16d6f08d0e019b1fce07a337e9869e079519f2f65161a744f38b0a3e541461a74c2c05adebde38b07c6c6d7301be51de656cf231ff4d58e4836e09633bdc379bca36a538b5bc4646e2a212b9c436af8749840e14d646268d52770f263e0bcbc965b37ae0d0dbb5e3e259882a29cdfb0f7eaba21d984748d017f4e495bcbe909d71e2f7a3d08689a49d9479e4887ea0558293d4e0dcc74
	EAP-Message = 0x61e3d33b48576d468e293468648476786964d5d050203aa0706fef1426432c3e5f5e49d33f77148209d34f01928db02b6b8d30338b9fd51e589b57576217a16c19c5a60bc875140301000101160301003099875a615089ecf3a1b21b7297c276f5bc8ab7be2f85d981f32a93c53ba178cf38c3be709ef5a241f1641f18bfc86cff1503010020ecc14febfeb1efd89ca273228fabc163f4d2536f8077de497b8257f10c0cfd80
	Message-Authenticator = 0xb2addbdef36eea66889ed2c3e3ee302e
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "sohama411111", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 2690
[tls] Length Included
[tls] eaptls_verify returned 11 
[tls] <<< TLS 1.0 Handshake [length 08c7], Certificate  
[tls] chain-depth=1, 
[tls] error=0
[tls] --> User-Name = sohama411111
[tls] --> BUF-Name = Example Certificate Authority
[tls] --> subject = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin at example.com/CN=Example Certificate Authority
[tls] --> issuer  = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin at example.com/CN=Example Certificate Authority
[tls] --> verify return:1
	TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
[tls] chain-depth=0, 
[tls] error=0
[tls] --> User-Name = sohama411111
[tls] --> BUF-Name = sohama4 at gmail.com
[tls] --> subject = /C=FR/ST=Radius/O=Example Inc./CN=sohama4 at gmail.com/emailAddress=sohama4 at gmail.com
[tls] --> issuer  = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin at example.com/CN=Example Certificate Authority
[tls] --> verify return:1
[tls]     TLS_accept: SSLv3 read client certificate A
[tls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange  
[tls]     TLS_accept: SSLv3 read client key exchange A
[tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify  
[tls]     TLS_accept: SSLv3 read certificate verify A
[tls] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[tls] <<< TLS 1.0 Handshake [length 0010], Finished  
[tls]     TLS_accept: SSLv3 read finished A
[tls] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[tls]     TLS_accept: SSLv3 write change cipher spec A
[tls] >>> TLS 1.0 Handshake [length 0010], Finished  
[tls]     TLS_accept: SSLv3 write finished A
[tls]     TLS_accept: SSLv3 flush data
[tls]     (other): SSL negotiation finished successfully
[tls] <<< TLS 1.0 Alert [length 0002], fatal protocol_version  
TLS Alert read:fatal:protocol version
rlm_eap: SSL error error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
SSL Connection Established 
[tls] eaptls_process returned 13 
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 254 to 192.168.1.11 port 62733
	EAP-Message = 0x010700450d800000003b1403010001011603010030fcca5a85d37c2ec29f40904ccb9dbe3ac886668b24f36a70ea88aed096ed2520ee567dcce866caf89a455cdc9b1421ed
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xa2a1f780a4a6fad11c1fdcdf4905f39b
Finished request 6.
Going to the next request
Waking up in 2.2 seconds.
rad_recv: Access-Request packet from host 192.168.1.11 port 62733, id=255, length=159
	User-Name = "sohama411111"
	Called-Station-Id = "ec-e5-55-9c-c3-b6"
	Calling-Station-Id = "00:24:9b:0c:2f:6e"
	NAS-Identifier = "ec-e5-55-9c-c3-ac"
	NAS-IP-Address = 192.168.1.11
	NAS-Port = 6
	Framed-MTU = 1500
	NAS-Port-Type = Ethernet
	State = 0xa2a1f780a4a6fad11c1fdcdf4905f39b
	EAP-Message = 0x020700060d00
	Message-Authenticator = 0x9edad03d955fdbb9df9945226a174d53
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "sohama411111", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK alert
[tls] eaptls_verify returned 4 
[tls] eaptls_process returned 4 
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] 	expand: %{User-Name} -> sohama411111
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 7 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 7
Sending Access-Reject of id 255 to 192.168.1.11 port 62733
	EAP-Message = 0x04070004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1.2 seconds.
Cleaning up request 0 ID 248 with timestamp +21
Waking up in 2.6 seconds.
Cleaning up request 1 ID 249 with timestamp +24
Cleaning up request 2 ID 250 with timestamp +24
Cleaning up request 3 ID 251 with timestamp +24
Cleaning up request 4 ID 252 with timestamp +24
Cleaning up request 5 ID 253 with timestamp +24
Cleaning up request 6 ID 254 with timestamp +24
Waking up in 1.0 seconds.
Cleaning up request 7 ID 255 with timestamp +24

More information about the Freeradius-Users mailing list