eapol_test with TLS fails (nothing sent to freeradius)

freerad list.radius at tiri.li
Mon Jul 27 10:26:08 CEST 2015


Hi Alan,

thanks for clarification. Now I will get further.

Best regards,
Thomas

2015-07-27 10:05 GMT+02:00 <A.L.M.Buxey at lboro.ac.uk>:

> Hi,
>
> > EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
> > TLS: Trusted root certificate(s) loaded
> > OpenSSL: tls_connection_client_cert - SSL_use_certificate_file (DER)
> failed
> > error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> > OpenSSL: pending error: error:0D07803A:asn1 encoding
> > routines:ASN1_ITEM_EX_D2I:nested asn1 error
> > OpenSSL: pending error: error:140C800D:SSL
> > routines:SSL_use_certificate_file:ASN1 lib
> > OpenSSL: SSL_use_certificate_file (PEM) --> OK
> > OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER)
> failed
> > error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
> > OpenSSL: pending error: error:0D0680A8:asn1 encoding
> > routines:ASN1_CHECK_TLEN:wrong tag
> > OpenSSL: pending error: error:0D07803A:asn1 encoding
> > routines:ASN1_ITEM_EX_D2I:nested asn1 error
> > OpenSSL: pending error: error:0D09A00D:asn1 encoding
> > routines:d2i_PrivateKey:ASN1 lib
> > OpenSSL: pending error: error:140CB00D:SSL
> > routines:SSL_use_PrivateKey_file:ASN1 lib
> > OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK
> > SSL: Private key loaded successfully
> > CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
> > EAP: EAP entering state METHOD
>
> so client not too happy about certs... but looks like it loaded them okay
> still anyway
> (if they were DER format these error messages would probably go)
>
> > SSL: SSL_connect:SSLv3 read server hello A
> > TLS: Certificate verification failed, error 7 (certificate signature
> > failure) depth 1 for '/C=DE/ST=Hamburg/L=Schwarzenbek/O=tiri
> > GmbH/emailAddress=ca at hotspot.tiri.li/CN=tiri CA'
> > SSL: (where=0x4008 ret=0x233)
> > SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error
> > SSL: (where=0x1002 ret=0xffffffff)
> > SSL: SSL_connect:error in SSLv3 read server certificate B
> > OpenSSL: tls_connection_handshake - SSL_connect error:0D0C50A1:asn1
> > encoding routines:ASN1_item_verify:unknown message digest algorithm
> > OpenSSL: pending error: error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> > SSL: 7 bytes pending from ssl_out
> > SSL: Failed - tls_out available to report error
> > SSL: 7 bytes left to be sent out (of total 7 bytes)
>
> so client didnt like what the RADIUS server sent.
>
>
> ensure that the client is using the correct CA details. ensure that the
> server is using the
> correct details! and ensure that the client is also sending out any
> intermediate certs
> that the client needs to built the trust chain from server cert to the
> root CA
>
> > But there is still something missing.
> > How is password for user "wlan_test" being transmitted?
>
> the missing thing is just your knowledge about EAP-TLS protocol. there is
> no password - the
> client is authenicated based on mutual trust of the certificate that it is
> using...and the clients
> certificzte is protected by the private-key component of the certificate
> that only the authorised
> client/user would know to allow that certificate to be loaded/read for use
> with EAP-TLS
>
> EAP-TLS works very much like you showing a passport at the security
> section of airport.  the security
> guard will recognise the document...and know that they have an agreement
> with your country...they will
> check the contents of your passport...ensure its all present and correct
> and hasnt expired.
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


More information about the Freeradius-Users mailing list