Server certificate confusion

Nick Howitt nick at
Tue Apr 17 10:46:04 CEST 2018

I am having problems with the server certificate. If I create a server 
certificate without the XP Extensions, using eapol_test I can get a 
validation success, but Windows clients give an 0x80420101 error. If I 
redo the certificates with the XP Extensions I see the following in the 
         X509v3 extensions:
             X509v3 Extended Key Usage:
                 TLS Web Server Authentication
             X509v3 CRL Distribution Points:

                 Full Name:

But eapol_test ends in failure with the following part way through:

    TLS: Certificate verification failed, error 7 (certificate signature
    failure) depth 0 for '/C=FR/ST=Radius/O=Example Inc./CN=Example
    Certificate Authority/emailAddress=admin at'
    CTRL-EVENT-EAP-TLS-CERT-ERROR reason=0 depth=0
    subject='/C=FR/ST=Radius/O=Example Inc./CN=Example Certificate
    Authority/emailAddress=admin at' err='certificate signature
    EAP: Status notification: remote certificate verification
    (param=certificate signature failure)

and "radiusd -X gives:

    (29) eap_tls: Done initial handshake
    (29) eap_tls: <<< recv TLS 1.2  [length 0002]
    (29) eap_tls: ERROR: TLS Alert read:fatal:decrypt error
    (29) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client
    certificate A
    (29) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
    (29) eap_tls: ERROR: error:1409441B:SSL
    routines:ssl3_read_bytes:tlsv1 alert decrypt error
    (29) eap_tls: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl
    handshake failure
    (29) eap_tls: ERROR: System call (I/O) error (-1)
    (29) eap_tls: ERROR: TLS receive handshake failed during operation
    (29) eap_tls: ERROR: [eaptls process] = fail
    (29) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP
    sub-module failed
    (29) eap: Sending EAP Failure (code 4) ID 5 length 4

Do you know what I'm doing wrong?

TIA, Nick

More information about the Freeradius-Users mailing list