Failed in SSLv3 read client certificate A

Michael Martinez mwtzzz at gmail.com
Wed Jun 22 19:16:10 CEST 2016


Ok I may have spoken too soon. I just found this online:
"Apparently starting with iOS 9.1, if the RADIUS cert does not contain
the "Key Encipherment" flag, iOS will reject authentication with:
Oct  1 11:27:29.752545 TiPadAir2 eapolclient[455]:
[eaptls_plugin.c:292] eaptls_verify_server(): server certificate not
trusted status 1001 -9807"

I'm guessing this is probably what I need to do to get this to work.
Anyone know what this "Key Encipherment" flag is, and how to include
it in the Radius cert?

On Wed, Jun 22, 2016 at 10:12 AM, Michael Martinez <mwtzzz at gmail.com> wrote:
> On Sat, Jun 18, 2016 at 4:50 PM, Arran Cudbard-Bell
> <a.cudbardb at freeradius.org> wrote:
>> /usr/local/freeradius/sbin/radiusd -v
>>
>> Is more accurate than using ldd.  It calls a version function in OpenSSL
>> to get the version, it doesn't use compile time macros.
>
> Awesome, thanks.
>
> FYI, we were able to crack open the iPad logs, and found the following
> interesting entries:
>
> Jun 21 14:15:03 iPad eapolclient[178] <Error>: SecTrustEvaluate [leaf
> AnchorTrusted]
> Jun 21 14:15:03 iPad eapolclient[178] <Notice>: [eaptls_plugin.c:291]
> eaptls_verify_server(): server certificate not trusted status 1001 ­9807
> Jun 21 14:15:03 iPad kernel[0] <Notice>: 000220.437816 wlan0.N[82]
> AppleBCMWLANCore::setCIPHER_KEY(): [eapolclient]: type = CIPHER_MSK, index =
> 0, flags = 0x0, key length = 0, key rsc length = 0
> Jun 21 14:15:03 iPad eapolclient[178] <Notice>: en0 EAP­TLS:
> authentication failed with
> status 1001
>
> So, it appears we need to set the iPad to trust my self-signed server
> certificate, and then it should work.



-- 
---
Michael Martinez
http://www.michael--martinez.com



More information about the Freeradius-Users mailing list