RADSEC / TLS errors but not sure why

James Wood james.wood at purplewifi.com
Mon Aug 7 16:18:03 UTC 2023 

The thing is, I am using the same Openroaming issued certificate as
other RADSEC providers.

If I query a public RADSEC server, from the same client (that doesn't have
any Openroaming specific or CA certs installed), it's fine:

openssl s_client -showcerts -connect radsec1a.eu1.odyssys.net:2083

CONNECTED(00000003)
depth=3 C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.",
OU = Openroaming, CN = openroaming.org, emailAddress = enb-devops at cisco.com
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=3 C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.",
OU = Openroaming, CN = openroaming.org, emailAddress = enb-devops at cisco.com
verify return:1
depth=2 C = SG, ST = Singapore, L = Singapore, O = Wireless Broadband
Alliance, OU = WBA, CN = openroaming.org, dnQualifier = WBA WRIX ECC Policy
Intermediate CA-01
verify return:1
depth=1 C = US, O = "Kyrio, Inc.", OU = WBA, CN = openroaming.org,
dnQualifier = WBA WRIX ECC Intermediate CA-2
verify return:1
depth=0 C = GB, O = Global Reach Technology EMEA Limited, OU = WBA:WRIX
End-Entity, CN = radsec1a.eu1.odyssys.net, UID = GlobalReach:GB
verify return:1
Server certificate
subject=C = GB, O = Global Reach Technology EMEA Limited, OU = WBA:WRIX
End-Entity, CN = radsec1a.eu1.odyssys.net, UID = GlobalReach:GB
issuer=C = US, O = "Kyrio, Inc.", OU = WBA, CN = openroaming.org,
dnQualifier = WBA WRIX ECC Intermediate CA-2

---
Acceptable client certificate CA names
C = US, ST = California, L = San Jose, O = "Cisco Systems, Inc.", OU =
Openroaming, CN = openroaming.org, emailAddress = enb-devops at cisco.com
Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Shared Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5255 bytes and written 436 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 384 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---






But when querying my server using the same CA issued certificate:

CONNECTED(00000003)
140245345748288:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure:ssl/record/rec_layer_s3.c:1555:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 227 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1691356240
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

>
>

More information about the Freeradius-Users mailing list