Internal error during the authentication

Çağlar Karahan karahancaglar94 at gmail.com
Thu Jul 18 14:37:00 UTC 2024 

I am building Freeradius 3.2.2 and Openssl 3.3.0 separately. And for
enabling tls 1.0 and legacy ciphers, I configured both of them.
*My freeradius eap configuration as shown below*

eap {
    default_eap_type = tls
    timer_expire = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    max_sessions = 4096
    tls-config tls-common {
        private_key_password = whatever
        private_key_file = ${certdir}/server.pem
        certificate_file = ${certdir}/server.pem
        ca_file = ${certdir}/ca.pem
        dh_file = ${certdir}/dh
        random_file = ${certdir}/random
        cipher_list = "DEFAULT at SECLEVEL=0"
        tls_min_version = "1.0"
        ecdh_curve = "secp256k1:secp384r1:secp521r1:prime256v1:X448:X25519"
        cache {
            enable = no
            lifetime = 24
            max_entries = 255
        }
        verify{}
    }
    tls {
        tls = tls-common
    }
}


To test the TLSv1.0 authentication, I am using eapol_test as a client which
is provided by wpa supplicant (v 2.9). And I have already configured the
openssl.cnf file in the client computer as it supports tlsv1.0.

*eapol_test configuration file:*
network={
    phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=1
tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=1 peapver=0"
    ssid="test-ssid"
    key_mgmt=WPA-EAP
    eap=TLS
    identity="testuser"
    ca_cert="/path/to/ca.pem"
    client_cert="/path/to/client.pem"
    private_key="/path/to/client.key"
    private_key_passwd="clientkeypassword"
    eapol_flags=3
}

Testing with eapol_test is working properly and successfully. But when
another hardware device is used as a client with same configured
certificates and configurations, I am getting an error as below

Debug: (14) eap_tls: (TLS) recv TLS 1.0 Alert, fatal internal_error
Debug: (14) eap_tls: (TLS) The client is informing us that there is a
failure inside the TLS protocol exchange.
ERROR: (14) eap_tls: (TLS) Alert read:fatal:internal error
Debug: (14) eap_tls: (TLS) Server : Need to read more data: error
ERROR: (14) eap_tls: (TLS) Failed reading from OpenSSL:
ssl/record/rec_layer_s3.c[907]:error:0A000438:SSL routines::tlsv1 alert
internal error
Debug: (14) eap_tls: (TLS) In Handshake Phase
Debug: (14) eap_tls: (TLS) Application data.
ERROR: (14) eap_tls: (TLS) Cannot continue, as the peer is misbehaving.
ERROR: (14) eap_tls: [eaptls process] = fail
ERROR: (14) eap: Failed continuing EAP TLS (13) session.  EAP sub-module
failed

Do you have any thoughts about this issue? I know that it is probably about
the client side. But any suggestions or thoughts would be great. I have
already checked certificates, protocol matches and cipher suites that are
provided by client and server side.

Thank you.
Caglar

More information about the Freeradius-Users mailing list