Troubleshooting "TLS failed during operation" with EAP-TLS

Michael Parks mparks at tkware.info
Fri Jun 5 19:42:17 CEST 2020 

Let's see..

(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(5) eap_peap: Got complete TLS record (7 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: HERE 700
(5) eap_peap: HERE 702
(5) eap_peap: <<< recv TLS 1.2  [length 0002] 
(5) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(5) eap_peap: HERE 723
(5) eap_peap: TLS - In Handshake Phase
(5) eap_peap: TLS - Application data.
(5) eap_peap: HERE 842
(5) eap_peap: ERROR: TLS failed during operation
(5) eap_peap: ERROR: [eaptls process] = fail
(5) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed

842 being above the function's final "return 1".

I got curious and hooked it up to gdb and stepped through to the failure point. The "TLS failed during operation" error is coming out of modules/rlm_eap/libeap/eap_tls.c:756. The contents of tls_session->dirty_out at the time were:

$2 = {
  data = " RouterOS0\r\006\t*\206H\206\367\r\001\001\v\005\000\003\202\001\001\000ShU`\333g~\272\341\273\316\tO\211\335\302-\235\067\361e\a\357'\245\260\343\216*\034}\030\275yve2\261\201\212\253A\204\005\270iQ\262\230\377\017'\t_\263\371z\272\275\315\271\312Ȧ\374\034\231\304άa\332\370\242u\366\274M\272\316v{\032|\350\060.]\006\070V\267C\200\bZY+\323\375\245\360\330\372\204q\205\367\ty~\207\210\352\004\347\304hX\244\003\257\035\066\003\371:\263\031\352\002#\035\273D\253r\033.\350\035\301\216\023\364\275'\303\006\317f!\016p\230~\367\064x\346\343\"\334\024f&\213\262{wHu\033\372"..., used = 0}

..which, given prior experience with MikroTik, leads me to believe that this router is talking nonsense to RADIUS..


On Fri, Jun 5, 2020, at 10:22 AM, Alan DeKok wrote:
> On Jun 5, 2020, at 11:54 AM, Michael Parks <mparks at tkware.info> wrote:
> > 
> > I think I might need to try with different certs. I've read rumblings that MikroTik's built-in PKI can cause strange problems in other instances, and it may be the same thing here. (Supposedly it's perfectly standard X509, but..)
> > 
> > Anything a mere mortal with little C experience can do to get better info as to the failure cause?
> 
>   Edit src/main/tls.c, look for the function tls_handshake_recv()
> 
>   Instrument it by just adding this in a bunch of places in the function:
> 
> 	RDEBUG("HERE %d", __LINE__);
> 
>   Make sure to also add it before each "return 0"
> 
>   	... {
> 		RDEBUG("HERE %d", __LINE__);
> 		return 0;
> 
> 	}
> 
>   And then post the one packet here which says "TLS failed during operation"
> 
>   Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list