Freeradius and Android, TLS Internal Error

Lorenzo Mirabella lorenzo.mirabella at
Fri Feb 23 11:01:49 UTC 2024

I have configured FreeRADIUS with EAP-TTLS/GTC and I am using valid certificates issued by Let's Encrypt. The certificate is valid for and I have cert.pem, chain.pem, fullchain.pem, and privkey.pem. I have configured the tls section of the FreeRADIUS eap module as follows:

private_key_file = ${certdir}/privkey.pem
certificate_file = ${certdir}/fullchain.pem
ca_file = ${cadir}/fullchain.pem
auto_chain = no

When I try to connect to the access point with an older Android device, I have no issues, as it uses the system certificates. Using Linux and specifying the CA Authority as the Let's Encrypt root, I encounter no problems either. However, when using an iPad, I am prompted to accept the certificate (which is the correct one), but it claims it is untrusted despite the Let's Encrypt root being among the trusted CA. With newer versions of Android, you can choose between 3 options: do not verify, request certificate status, and require certificate status. The first two options work (by entering as the domain), but for security reasons, I would like the third option to work as well. However, I get this error:

(13) eap: Peer sent EAP Response (code 2) ID 5 length 13
(13) eap: Continuing tunnel setup
(13) [eap] = ok
(13) } # authorize = ok
(13) Found Auth-Type = eap
(13) # Executing group from file /etc/freeradius/sites-enabled/default
(13) authenticate {
(13) eap: Expiring EAP session with state 0xf0bbd072f4bec5d6
(13) eap: Finished EAP session with state 0xf0bbd072f4bec5d6
(13) eap: Previous EAP request found for state 0xf0bbd072f4bec5d6, released from the list
(13) eap: Peer sent packet with method EAP TTLS (21)
(13) eap: Calling submodule eap_ttls to process data
(13) eap_ttls: Authenticate
(13) eap_ttls: (TLS) EAP Done initial handshake
(13) eap_ttls: (TLS) recv TLS 1.2 Alert, fatal internal_error
(13) eap_ttls: (TLS) The client is informing us that there is a failure inside the TLS protocol exchange.
(13) eap_ttls: ERROR: (TLS) Alert read:fatal:internal error
(13) eap_ttls: (TLS) Server : Need to read more data: error
(13) eap_ttls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000438:SSL routines::tlsv1 alert internal error
(13) eap_ttls: (TLS) In Handshake Phase
(13) eap_ttls: (TLS) Application data.
(13) eap_ttls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
(13) eap_ttls: ERROR: [eaptls process] = fail
(13) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(13) eap: Sending EAP Failure (code 4) ID 5 length 4

There is definitely something wrong with the configuration, but honestly, I can't figure out what. Any advice?
I'm using the official freeradius docker container version 3.2.3.

Thank you in advance.

P.S. I am 100% sure that the certificate is valid, which can be verified using openssl verify or by creating a virtual host with HTTPS using Apache.

More information about the Freeradius-Users mailing list