EAP-TLS / OpenSSL Debug Output

Ben Humpert ben at an3k.de
Wed May 27 00:27:11 CEST 2015


Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3
read client certificate A
Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: <<< TLS 1.0 Handshake
[length 0046], ClientKeyExchange
Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3
read client key exchange A
Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: <<< TLS 1.0 Handshake
[length 0106], CertificateVerify
Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3
read certificate verify A
Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: <<< TLS 1.0
ChangeCipherSpec [length 0001]
Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: <<< TLS 1.0 Handshake
[length 0010], Finished
Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3
read finished A
Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: >>> TLS 1.0
ChangeCipherSpec [length 0001]
Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3
write change cipher spec A
Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: >>> TLS 1.0 Handshake
[length 0010], Finished
Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3
write finished A
Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: TLS_accept: SSLv3 flush data
Wed May 27 00:16:37 2015 : Debug: (118) eap_tls: (other): SSL
negotiation finished successfully
Wed May 27 00:16:37 2015 : Debug: SSL Connection Established

While Windows (including XP) as well as Apple clients (including iOS)
are working great Android has issues connecting using EAP-TLS. As soon
as I select a CA certificate in Android the connection is not
possible. If I don't select any CA certificate the connection works,
beside it's actually not EAP-TLS since the server certificate is not
validated.

Just for my understanding, in the above debug output which side of the
>>> and <<< is the RADIUS server and which is the client?
Does the second line means the server (left) read from the client
(right)? If so does the last line means the server (left) wrote to the
client (right)?


The debug output of the failing Android EAP-TLS attempt is below - in
case someone is interested.

Wed May 27 00:10:44 2015 : Debug: (89) eap: EAP TLS (13)
Wed May 27 00:10:44 2015 : Debug: (89) eap: Calling eap_tls to process EAP data
Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: Authenticate
Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: processing EAP-TLS
Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: eaptls_verify returned 7
Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: Done initial handshake
Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: <<< TLS 1.0 Alert
[length 0002], fatal unknown_ca
Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS Alert read:fatal:unknown CA
Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: TLS_accept: Failed in
SSLv3 read client certificate A
Wed May 27 00:10:44 2015 : ERROR: (89) eap_tls: SSL says:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Wed May 27 00:10:44 2015 : Error: SSL: SSL_read failed inside of TLS
(-1), TLS session fails.
Wed May 27 00:10:44 2015 : Debug: TLS receive handshake failed during operation
Wed May 27 00:10:44 2015 : Debug: (89) eap_tls: eaptls_process returned 4
Wed May 27 00:10:44 2015 : ERROR: (89) eap: Failed continuing EAP TLS
(13) session. EAP sub-module failed


And for everybody else. Here is the official error return codes page
for openssl https://www.openssl.org/docs/ssl/SSL_alert_type_string.html


More information about the Freeradius-Users mailing list