eap_peap: ERROR: TLS Alert read:fatal:unknown CA

[Alan DeKok]

On Nov 19, 2019, at 1:45 PM, L. Rose <lists at lrose.de> wrote:,
> 
> 
> We've recently upgraded one of our freeradius servers to 3.0.17, the configuration remains unchanged. Now, whenever a device connects to WiFi, the authentication fails with:
> 
> eap_peap: ERROR: TLS Alert read:fatal:unknown CA
> 
> Downgrading freeradius to 3.0.16 fixes the issue, as well as disabling certificate checking on the client device (but that's obviously not an option). I've also tried all later versions including 3.0.20, all of them have this problem. Similarly, all versions 3.0.13 - 3.0.16 are working successfully.

  That isn't good.

> I was able to rule out the specific git commit which introduces this problem. #66c66729a51713c8a282b483e3cc76b43a234efa is the last working version (checked out and built from source). #595b4ddb9571772322ad2546f0faba91aa32daf1 seems to be the first "faulty" version.

  That's just a merge commit.  The actual change is in 8e54822dcaf1.  Which just sets a flag in OpenSSL.

> Any ideas how to fix this issue? I would like to attach the complete output of freeradius -X, but that contains identifying information that's hard to strip. But if you need more information, I'll see what I can do. For now, see the output of freeradius -X for the failing connection.
> 
> Is this a bug? I don't think that the behavior of freeradius should change from 3.0.16 to 3.0.17, especially as the commit message for #595b4ddb9571772322ad2546f0faba91aa32daf1 only says: "TLS: Allow partial certificate chain to trusted CA". That doesn't feel like some functionality was removed, does it?

  It shouldn't change anything.

  What do your certificate chains look like?  Maybe OpenSSL is getting the certificate chains wrong.

  Try setting "auto_chain = no" in mods-available/eap.  Be aware though that this means you will need to order the certificates yourself.  i.e. "certificate_file" will have to contain the entire certificate chain, in order.

  Alan DeKok.