EAP-TLS Signature Check Failure

Peter Bance peter at peterbance.co.uk
Wed Jun 10 23:09:36 CEST 2020 

Thanks, Alan.

That helps eliminate one rabbit hole. I shall dig into Windows WPA/EAP and see what new “proprietary mechanism” they’ve invented now 😊

---
Peter Bance


> On 10 Jun 2020, at 22:02, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Jun 10, 2020, at 2:24 PM, Peter Bance via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> I've been setting up a FreeRADIUS server for a client, so they can (finally!) break away from AD/NPS-based RADIUS (ugh) for company WiFi. I have SCEP certificates pushed out to all machines, and I have iPhones connecting perfectly (transparent connection to test SSID with successful RADIUS validation). But I am banging my head against the wall with Windows 10 devices...
> 
>  <sigh> Windows....
> 
>> Certificates valid (from the same source, same profile), CA configured correctly, it _should_ be working (as iOS can connect), but freeradius -X gives me this:
>> 
>> ...
>> (42) eap_tls: ocsp: Cert status: good
>> (42) eap_tls: ocsp: Certificate is valid
>> (42) eap_tls: TLS_accept: SSLv3/TLS read client certificate
>> (42) eap_tls: <<< recv TLS 1.2  [length 0066]
>> (42) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
>> (42) eap_tls: <<< recv TLS 1.2  [length 0108]
>> (42) eap_tls: >>> send TLS 1.2  [length 0002]
>> (42) eap_tls: ERROR: TLS Alert write:fatal:decrypt error
>> 
>> (42) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read)
>> (42) eap_tls: ERROR: error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid
>> (42) eap_tls: ERROR: error:1417B07B:SSL routines:tls_process_cert_verify:bad signature
> 
>  I must admit I haven't seen that very often.  In fact, I can't recall seeing it before.
> 
>> Sadly I can't work out _which_ signature it's having a problem with - openssl verify is fine with the certificate and CA. The correct certificate is being sent (I can see that elsewhere in the output), EKU is all good.
> 
>  You can use Wireshark to double-check the RADIUS / EAP exchange.  I suspect it will also complain.
> 
>> Any pointers would be really appreciated - I'm not sure at the moment whether to continue squinting at FreeRADIUS config, Windows config, SCEP certificate properties, or what!
>> 
>> FreeRADIUS 3.0.21
>> OpenSSL 1.1.1
>> Windows fully updated
>> 
>> I have different CAs for FreeRADIUS (Let's Encrypt) and SCEP (self-signed), but I understand this is fine, and as I mentioned it works for iOS.
>> 
>> Has anyone seen this before? I've hunted all over the Internet, but nothing quite matches :(
> 
>  Yeah.  It's weird.  TBH, I would put it down to a Windows issue.  I can't see how it's a FreeRADIUS issue.  Which means it's rather more complex to fix.
> 
>  Maybe it's an issue with the SCEP certificates, or the Windows implementation of them.
> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list