real world radsec example

Alex Sharaz alex.sharaz at york.ac.uk
Mon Jul 20 17:38:35 CEST 2015


Sigh!

CA_file != ca_file 

Works now, for 

3.0.9 at each end 
2.2.7 ->3.0.9

Just testing 3.0.9 -> 2.2.7 via radsecproxy
A

On 20 Jul 2015, at 15:29, Alan DeKok wrote:

> On Jul 20, 2015, at 4:27 PM, Alex Sharaz <alex.sharaz at york.ac.uk> wrote:
>> I've successfully got FR 2.2.7 -> radsecproxy 1.6.x -> FR 3.0.9 working ( tested using radtest -> FR 2.2.7 ) but am having a bit of a problem either going from FR 3.x-> radsec proxy  or FR 3.x <--> 3.X
>> 
>> On the server I'm running radtest on I get 
>> 
>> Mon Jul 20 14:03:14 2015 : Debug: (0) proxy: Trying to open a new listener to the home server
>> Mon Jul 20 14:03:14 2015 : Debug: Opening new proxy socket 
> ...
>> Mon Jul 20 14:03:15 2015 : ERROR: (0)   SSL says error 19 : self signed certificate in certificate chain
>> Mon Jul 20 14:03:15 2015 : Debug: (0) >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
>> Mon Jul 20 14:03:15 2015 : ERROR: (0) TLS Alert write:fatal:unknown CA
>> Mon Jul 20 14:03:15 2015 : Error: tls: TLS_connect: Error in SSLv3 read server certificate B
>> Mon Jul 20 14:03:15 2015 : Error: tls: TLS_connect: Error in SSLv3 read server certificate B
>> Mon Jul 20 14:03:15 2015 : Error: tls: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>> Mon Jul 20 14:03:15 2015 : Error: Failed starting SSL to 'proxy (0.0.0.0, 0) -> home_server (199.30.91.51, 2083)'
>> 
>> and I really can't see why I'm getting the unknown CA error. Certainly shouldn't be a self signed cert anywhere.
> 
>  The server is sending a self-signed cert to the client.
> 
>  You MUST configure the SAME CA on both the client and server.  That's how SSL works.
> 
>  Alan DeKok.
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list