Failed in SSLv3 read client certificate A

Michael Martinez mwtzzz at gmail.com
Tue Jun 14 23:32:22 CEST 2016


On Mon, Jun 6, 2016 at 6:31 AM, Stefan Paetow <Stefan.Paetow at jisc.ac.uk> wrote:
> Does the iPad have the CA certificate installed? Does it have the *correct* CA certificate installed? If there are intermediates, is the whole *chain* installed?

Yes, we just double-checked this. Still getting the same error. Here's
a little more info from farther up in the logs. As you can see, it
seems to do everything correctly up to the point where it requests the
client certificate A:

(299) eap: Calling submodule eap_tls to process data
(299) eap_tls: Continuing EAP-TLS
(299) eap_tls: Peer indicated complete TLS record size will be 142 bytes
(299) eap_tls: Got complete TLS record (142 bytes)
(299) eap_tls: [eaptls verify] = length included
(299) eap_tls: (other): before/accept initialization
(299) eap_tls: TLS_accept: before/accept initialization
(299) eap_tls: <<< recv TLS 1.0 Handshake [length 0089], ClientHello
(299) eap_tls: TLS_accept: SSLv3 read client hello A
(299) eap_tls: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(299) eap_tls: TLS_accept: SSLv3 write server hello A
(299) eap_tls: >>> send TLS 1.0 Handshake [length 08cd], Certificate
(299) eap_tls: TLS_accept: SSLv3 write certificate A
(299) eap_tls: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
(299) eap_tls: TLS_accept: SSLv3 write key exchange A
(299) eap_tls: >>> send TLS 1.0 Handshake [length 00b4], CertificateRequest
(299) eap_tls: TLS_accept: SSLv3 write certificate request A
(299) eap_tls: TLS_accept: SSLv3 flush data
(299) eap_tls: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(299) eap_tls: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(299) eap_tls: In SSL Handshake Phase
(299) eap_tls: In SSL Accept mode
(299) eap_tls: [eaptls process] = handled
(299) eap: Sending EAP Request (code 1) ID 4 length 1004
(299) eap: EAP session adding &reply:State = 0x41fc0bf743f80689
(299)     [eap] = handled



>
> See https://www.mail-archive.com/search?l=freeradius-users@lists.freeradius.org&q=subject:%22SSL+error%22&o=newest&f=1
>
>> #2) Is there a way to get more information from radius? It's unclear
>> whether Radius (a) received the client certificate but does not
>> understand it, or (b) did not receive the client certificate at all
>
> As per the above link, chances are that the iPad didn't understand the cert, didn't like it, or something else is wrong with it, and subsequently said "Thanks but no thanks."
>
> Stefan Paetow
> Moonshot Industry & Research Liaison Coordinator
>
> t: +44 (0)1235 822 125
> gpg: 0x3FCE5142
> xmpp: stefanp at jabber.dev.ja.net
> skype: stefan.paetow.janet
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-- 
---
Michael Martinez
http://www.michael--martinez.com



More information about the Freeradius-Users mailing list