RADSEC - ERROR: TLS Alert read:fatal:unknown CA
Michael Cullen
michael.cullen at madetech.com
Mon Apr 26 13:12:48 CEST 2021
Hi,
I'm getting an unknown CA error when authenticating with RADSEC. I have
EAP-TLS and EAP-TLS over TTLS working fine.
This is passing locally when running eapol_test, pointing this at the
running server fails with the following:
Listening on auth+acct from client (10.0.2.232, 52947) -> (*, 2083,
virtual-server=radsec)
(0) Initiating new TLS session
(0) Setting verify mode to require certificate from client
(0) (other): before SSL initialization
(0) TLS_accept: before SSL initialization
(0) TLS_accept: before SSL initialization
(0) <<< recv TLS 1.3 [length 0098]
(0) TLS_accept: SSLv3/TLS read client hello
(0) >>> send TLS 1.2 [length 0039]
(0) TLS_accept: SSLv3/TLS write server hello
(0) >>> send TLS 1.2 [length 03c6]
(0) TLS_accept: SSLv3/TLS write certificate
(0) >>> send TLS 1.2 [length 016d]
(0) TLS_accept: SSLv3/TLS write key exchange
(0) >>> send TLS 1.2 [length 00aa]
(0) TLS_accept: SSLv3/TLS write certificate request
(0) >>> send TLS 1.2 [length 0004]
(0) TLS_accept: SSLv3/TLS write server done
(0) TLS_accept: Need to read more data: SSLv3/TLS write server done
(0) TLS - In Handshake Phase
(0) TLS - got 1587 bytes of data
(0) <<< recv TLS 1.2 [length 0002]
(0) ERROR: TLS Alert read:fatal:unknown CA
(0) TLS_accept: Need to read more data: error
(0) ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca
(0) TLS - In Handshake Phase
(0) TLS - Application data.
(0) SSL_read Error
(0) ERROR: Error in fragmentation logic
(0) Application data status 4
Closing TLS socket from client port 52947
Client has closed connection
... shutting down socket auth+acct from client (10.0.2.232, 52947) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 11766) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 15359) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 65212) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 6123) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 59685) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 17646) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 48212) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 53313) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 36056) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 40139) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 48337) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 42353) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 22426) -> (*,
2083, virtual-server=radsec)
.. . cleaning up socket auth+acct from client (10.0.2.232, 51317) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 19967) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 32633) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 39479) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 3427) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 11898) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 15455) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 26702) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 28398) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 7519) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 16029) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 24805) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 30665) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 37105) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 17261) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 23705) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 30053) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 24811) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 41416) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 25290) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 17735) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 21421) -> (*,
2083, virtual-server=radsec)
Waking up in 0.8 seconds.
... cleaning up socket auth+acct from client (10.0.2.232, 15262) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 23391) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 28075) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 19519) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 8746) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 29993) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 60922) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 2533) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 50237) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 52840) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 62747) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 60782) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 17977) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 26652) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 57896) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 22108) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 6062) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 13844) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 43369) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 51246) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 54429) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 64595) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 2748) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 47575) -> (*,
2083, virtual-server=radsec)
... cleaning up socket auth+acct from client (10.0.2.232, 52947) -> (*,
2083, virtual-server=radsec)
Ready to process requests
The radsec configuration is:
server radsec {
listen {
type = auth+acct
ipaddr = *
port = 2083
proto = tcp
tls {
private_key_password = whatever
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
ca_file = ${certdir}/ca.pem
dh_file = ${raddbdir}/dh
random_file = /dev/random
check_crl = no
ca_path = ${cadir}
cipher_list = "HIGH"
ecdh_curve = "secp384r1"
require_client_cert = yes
auto_chain = no
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
tmpdir = /tmp/radiusd
client = "/usr/bin/openssl verify -CAfile ${certdir}/ca.pem
%{TLS-Client-Cert-Filename}"
}
}
}
authorize {
eap
}
authenticate {
eap
}
}
In an attempt to fix this, I followed this guide (we are running on Alpine):
https://wiki.alpinelinux.org/wiki/FreeRadius_EAP-TLS_configuration
I'm interested to know whether this is really a unknown CA error or if
something else is going on.
Some things I'm investigating:
1. Why is the first recv TLS 1.3 and all consecutive send and recv TLS 1.2?
(0) <<< recv TLS 1.3 [length 0098]
(0) TLS_accept: SSLv3/TLS read client hello
(0) >>> send TLS 1.2 [length 0039]
(0) TLS_accept: SSLv3/TLS write server hello
2. I can see "TLS - got 1587 bytes of data", will this result in
fragmentation in the handshake?
(0) ERROR: Error in fragmentation logic
3. Could there be a problem with the identity being sent to the server? I'm
seeing a lot of identity request and response, and we seem to be stuck in a
loop.
I'm using the certificate Common Name as the identity value.
57 12.824635 HewlettP_f7:de:e0 Apple_26:33:dc EAP 23 Request, Identity
551 30.363992 HewlettP_f7:de:f0 Apple_26:33:dc EAP 23 Request, Identity
553 30.400277 HewlettP_f7:de:f0 Apple_26:33:dc EAP 23 Request, Identity
558 30.433393 HewlettP_f7:de:f0 Apple_26:33:dc EAP 23 Request, Identity
560 30.466359 HewlettP_f7:de:f0 Apple_26:33:dc EAP 23 Request, Identity
562 30.499880 HewlettP_f7:de:f0 Apple_26:33:dc EAP 23 Request, Identity
564 30.531438 HewlettP_f7:de:f0 Apple_26:33:dc EAP 23 Request, Identity
Kind Regards,
Michael
More information about the Freeradius-Users
mailing list