EAP-TLS Signature Check Failure
nabble at felix.world
nabble at felix.world
Fri Jan 22 16:17:06 CET 2021
> Wow. That's a pretty spectacular breakage. How the heck do these things make it to production?
Good question... It seems like a combination with a Windows Version and the TPM firmware.
E.g. one client was working well until some update of Windows. But we don't know on which exactly version something changed in the windows operation how they speak with the TPM chips.
We saw the error i think the first time nearly a year ago and to be honest we're just happy that we find the issue and how to resolve it. So we will not investigate more effort in this to figure out from which windows update the error occurs.
What we're doing is to figure out which clients we know have which TPM version, to clarify a bit at which TPM version, we're seeing this. So far it's:
STMicroelectronics: 71.12
Intel: 11.8.50.3399
Regards,
Lineconnect
-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+nabble=felix.world at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: Friday, January 22, 2021 3:32 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: EAP-TLS Signature Check Failure
On Jan 22, 2021, at 7:48 AM, nabble at felix.world wrote:
> we finally got the issue and for the anyone else, how will face the issue, the fix is quite simple. Update your TPM Firmware!
>
> In fact, during the authentication the client is sending a signature which only includes nulls. The packet itself is intact, sizes of the packets are valid and the signature algorithm is also well. The only thing that's not in the tls authentication is a signature. :
Wow. That's a pretty spectacular breakage. How the heck do these things make it to production?
> That's also the reason why some of our clients are able to authenticate and some not, with the key, stored in TPM.
>
> Intel ships end customer TPM updater, STM as we know not. We also don't have clients with Infineon chips but they should also ship updates to the end customer.
Good to know.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list