real world radsec example

Alex Sharaz alex.sharaz at york.ac.uk
Mon Jul 20 16:27:23 CEST 2015


Hi,
Has anyone got a real world RADSEC example between two FR 3.0.[89] servers they would be prepared to share ? Having a bit of trouble getting this to work. 

I've successfully got FR 2.2.7 -> radsecproxy 1.6.x -> FR 3.0.9 working ( tested using radtest -> FR 2.2.7 ) but am having a bit of a problem either going from FR 3.x-> radsec proxy  or FR 3.x <--> 3.X

On the server I'm running radtest on I get 

Mon Jul 20 14:03:14 2015 : Debug: (0) proxy: Trying to open a new listener to the home server
Mon Jul 20 14:03:14 2015 : Debug: Opening new proxy socket 'proxy (0.0.0.0, 0) -> home_server
 (199.30.91.51, 2083)'
Mon Jul 20 14:03:14 2015 : Debug: Trying SSL to port 2083
Mon Jul 20 14:03:14 2015 : Debug: Requiring Server certificate
Mon Jul 20 14:03:14 2015 : Debug: (0) (other): before/connect initialization
Mon Jul 20 14:03:14 2015 : Debug: (0) TLS_connect: before/connect initialization
Mon Jul 20 14:03:14 2015 : Debug: (0) >>> TLS 1.2  [length 011e]
Mon Jul 20 14:03:14 2015 : Debug: (0) TLS_connect: unknown state
Mon Jul 20 14:03:15 2015 : Debug: (0) <<< TLS 1.0 Handshake [length 0031], ServerHello
Mon Jul 20 14:03:15 2015 : Debug: (0) TLS_connect: SSLv3 read server hello A
Mon Jul 20 14:03:15 2015 : Debug: (0) <<< TLS 1.0 Handshake [length 11ed], Certificate
Mon Jul 20 14:03:15 2015 : Debug: (0) TLS Verify creating certificate attributes
Mon Jul 20 14:03:15 2015 : ERROR: (0)   SSL says error 19 : self signed certificate in certificate chain
Mon Jul 20 14:03:15 2015 : Debug: (0) >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
Mon Jul 20 14:03:15 2015 : ERROR: (0) TLS Alert write:fatal:unknown CA
Mon Jul 20 14:03:15 2015 : Error: tls: TLS_connect: Error in SSLv3 read server certificate B
Mon Jul 20 14:03:15 2015 : Error: tls: TLS_connect: Error in SSLv3 read server certificate B
Mon Jul 20 14:03:15 2015 : Error: tls: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Jul 20 14:03:15 2015 : Error: Failed starting SSL to 'proxy (0.0.0.0, 0) -> home_server (199.30.91.51, 2083)'

and I really can't see why I'm getting the unknown CA error. Certainly shouldn't be a self signed cert anywhere.
A





More information about the Freeradius-Users mailing list