EAP-TLS Signature Check Failure

Boris Lytochkin lytboris at yandex-team.com
Tue Jul 12 09:28:33 UTC 2022 

Hey.

Sorry for a bit of posting into this old thread, but we came across the 
same issue with TPMs and PSS algorithm. Take a look on a work-around: 
limit allowed signature algorithms for OpenSSL 1.1.1+. PR: 
https://github.com/FreeRADIUS/freeradius-server/pull/4603

On 22.01.2021 18:17, nabble at felix.world wrote:
>>   Wow.  That's a pretty spectacular breakage.  How the heck do these things make it to production?
> Good question... It seems like a combination with a Windows Version and the TPM firmware.
> E.g. one client was working well until some update of Windows. But we don't know on which exactly version something changed in the windows operation how they speak with the TPM chips.
> We saw the error i think the first time nearly a year ago and to be honest we're just happy that we find the issue and how to resolve it. So we will not investigate more effort in this to figure out from which windows update the error occurs.
>
> What we're doing is to figure out which clients we know have which TPM version, to clarify a bit at which TPM version, we're seeing this. So far it's:
>      STMicroelectronics: 71.12
>      Intel: 11.8.50.3399
>
> Regards,
> Lineconnect
>
> -----Original Message-----
> From: Freeradius-Users <freeradius-users-bounces+nabble=felix.world at lists.freeradius.org> On Behalf Of Alan DeKok
> Sent: Friday, January 22, 2021 3:32 PM
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: EAP-TLS Signature Check Failure
>
> On Jan 22, 2021, at 7:48 AM, nabble at felix.world wrote:
>> we finally got the issue and for the anyone else, how will face the issue, the fix is quite simple. Update your TPM Firmware!
>>
>> In fact, during the authentication the client is sending a signature which only includes nulls. The packet itself is intact, sizes of the packets are valid and the signature algorithm is also well. The only thing that's not in the tls authentication is a signature. :
>    Wow.  That's a pretty spectacular breakage.  How the heck do these things make it to production?
>
>> That's also the reason why some of our clients are able to authenticate and some not, with the key, stored in TPM.
>>
>> Intel ships end customer TPM updater, STM as we know not. We also don't have clients with Infineon chips but they should also ship updates to the end customer.
>    Good to know.
>
>    Alan DeKok.

-- 
Boris Lytochkin
Yandex NOC
+7 (495) 739 70 00 ext 7671

More information about the Freeradius-Users mailing list