EAP-TLS certificate untrusted
Alan DeKok
aland at deployingradius.com
Fri Sep 27 08:08:29 UTC 2024
On Sep 27, 2024, at 8:30 AM, Etienne Muesse <etienne.muesse at wi-ag.de> wrote:
> I am trying to use freeradius with EAP-TLS but the client certificates are not trusted.
> We are using client certificates which are signed by our internal CA (signing chain is: client <- int-ca <- root-ca)
You need to configure the certificate chains as documented in the mods-available/eap module.
> Here is what I did:
> - Put the root CA and intermediate CA into "ca_path".
> - Set server.pem (issued by intermediate CA)
> - Set key.pem
> - Disable CRL/OCSP checks (for testing).
>
> The result when a client connects:
> /Certificate chain - 1 intermediate CA cert(s) untrusted
> To forbid these certificates see 'reject_unknown_intermediate_ca'
> (TLS) untrusted certificate with depth [2] subject name [ROOT CA CERTIFICATE]
> (TLS) untrusted certificate with depth [1] subject name [INT CA CERTIFICATE]
> (TLS) untrusted certificate with depth [0] subject name [CLIENT CERTIFICATE]
> tls: There are untrusted certificates in the certificate chain. Rejecting.
> (12) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:internal error
> (12) eap_tls: ERROR: (TLS) TLS - Server : Error in error
> (12) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed
> (12) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
> (12) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
> (12) eap_tls: ERROR: [eaptls process] = fail/
For now, set
reject_unknown_intermediate_ca = no
> I also tried to chain the CA files or put the whole chain into the client certificate.
> When I try to verify with openssl, it works fine:
> openssl verify -CApath certs/ca certs/client.pem
>
> Using FreeRADIUS Version 3.2.4
>
> Am I missing something?
Mumble mumble OpenSSL weirdness.
Alan DeKok.
More information about the Freeradius-Users
mailing list