Windows 8.1 Wi-Fi client handshake failure (Martin Rowe)
Rui Ribeiro
ruyrybeyro at gmail.com
Tue Oct 7 04:17:40 CEST 2014
Hi,
I am not seeing the XP X.509 OIDs specific for Windows on your certificate.
Dont you need them?
Have a look at certs/xpentensions.
Regards,
Rui
--
Senior Sysadm
ISCTE-IUL
https://www.linkedin.com/pub/rui-ribeiro/16/ab8/434
>
> Message: 2
> Date: Mon, 6 Oct 2014 11:28:14 -0700
> From: Martin Rowe <martin.p.rowe at gmail.com>
> To: freeradius-users at lists.freeradius.org
> Subject: Windows 8.1 Wi-Fi client handshake failure
> Message-ID:
> <
> CAOAjy5SRi8VDv1FYunFDfJ-UgOW7+jmnWNZxDxycA1jA2bXKvg at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hello,
>
> I'm having trouble getting a Windows 8.1 laptop to connect to my Wi-Fi
> which is using only EAP-TLS managed by FreeRADIUS. Before you ask, yes
> I have included serverAuth/clientAuth in the certificates and the
> configuration is tested to work with Linux and Android clients, so I
> don't think there is a problem on the server side. That is as far as
> Google has been able to help me, so I'm hoping someone here has had
> the same problem and might know a solution.
>
> The specific issue as far as I can troubleshoot is that the client and
> server can't agree on a shared TLS cipher. I'm seeing these lines in
> my logs every time I attempt a connection:
>
> Info: [tls] TLS_accept: before/accept initialization
> Info: [tls] <<< TLS 1.0 Handshake [length 0067], ClientHello
> Info: [tls] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure
> Error: TLS Alert write:fatal:handshake failure
> Error: TLS_accept: error in SSLv3 read client hello C
> Error: rlm_eap: SSL error error:1408A0C1:lib(20):func(138):reason(193)
> Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
>
> >From [1] it looks like the SSL errors mean:
>
> lib(20) = ERR_LIB_SSL
> func(138) = SSL_F_SSL3_GET_CLIENT_HELLO
> reason(193) = SSL_R_NO_SHARED_CIPHER
>
> [1] http://comments.gmane.org/gmane.comp.encryption.openssl.user/9654
>
> But that is as far as I can get. I've tried disabling every option I
> can in the configs and many variations on the Windows side, but they
> all stop at the same point. There is no limit I have set on which TLS
> ciphers can be used (cipher_list in eap{tls{}} is not used, and gave
> the same error when set to DEFAULT).
>
> My only other guess is there is something wrong with the certificates,
> but I'm not sure what might be wrong. I have copied both my root and
> my radius intermediate CA certificates onto the Windows client along
> with the client certificate and key. They are installed and the chain
> is valid according to the Windows Credential Manager. The server
> ca.pem has both the root and intermediate certificates concatenated
> together and that works fine with my other clients. So all I can think
> of is that Windows is being extra picky about something. Below is the
> sanitized text certificate for the server and client in the hope that
> the error is obvious to someone else:
>
> ......
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141007/d0dc3995/attachment.html>
More information about the Freeradius-Users
mailing list