[openssl-dev] [openssl.org #2916] EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01
This is an issue reported against 0.9.x/1.0.0 If still an issue with current release, please open a new ticket. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl.org #2916] EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01
Hi All, I'm using Freeradius server2.1.12 on x86 fedora14. My client is using (armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius server I am receiving the following errors. Do we require different certificates for arm boards, as I was able to run without any issues on x86 with same certificates. openssl version is 0.98g (on arm board) openssl version is 1.0.0a-fips (on x86 free radius server 2.1.12) /*ERROR: --- */ rad_recv: Access-Request packet from host 10.0.0.70 port 2050, id=8, length=166 User-Name = testuser NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Called-Station-Id = 68-7F-74-64-0A-AA:linksys Calling-Station-Id = 00-23-A7-3B-29-2C Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11 EAP-Message = 0x020300060d00 State = 0xba89e950b88ae454eff4b9964b6ca194 Message-Authenticator = 0x3f69e77da835e1450b33224899e816b2 Tue Nov 20 16:48:05 2012 : Info: # Executing section authorize from file /usr/local/etc/raddb/radiusd.conf Tue Nov 20 16:48:05 2012 : Info: +- entering group authorize {...} Tue Nov 20 16:48:05 2012 : Info: ++[preprocess] returns ok Tue Nov 20 16:48:05 2012 : Info: ++[chap] returns noop Tue Nov 20 16:48:05 2012 : Info: ++[mschap] returns noop Tue Nov 20 16:48:05 2012 : Info: [suffix] No '@' in User-Name = testuser, looking up realm NULL Tue Nov 20 16:48:05 2012 : Info: [suffix] No such realm NULL Tue Nov 20 16:48:05 2012 : Info: ++[suffix] returns noop Tue Nov 20 16:48:05 2012 : Info: [eap] EAP packet type response id 3 length 6 Tue Nov 20 16:48:05 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns updated Tue Nov 20 16:48:05 2012 : Info: [files] users: Matched entry testuser at line 131 Tue Nov 20 16:48:05 2012 : Info: ++[files] returns ok Tue Nov 20 16:48:05 2012 : Info: Found Auth-Type = EAP Tue Nov 20 16:48:05 2012 : Info: # Executing group from file /usr/local/etc/raddb/radiusd.conf Tue Nov 20 16:48:05 2012 : Info: +- entering group authenticate {...} Tue Nov 20 16:48:05 2012 : Info: [eap] Request found, released from the list Tue Nov 20 16:48:05 2012 : Info: [eap] EAP/tls Tue Nov 20 16:48:05 2012 : Info: [eap] processing type tls Tue Nov 20 16:48:05 2012 : Info: [tls] Authenticate Tue Nov 20 16:48:05 2012 : Info: [tls] processing EAP-TLS Tue Nov 20 16:48:05 2012 : Info: [tls] Received TLS ACK Tue Nov 20 16:48:05 2012 : Info: [tls] ACK handshake fragment handler Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_verify returned 1 Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_process returned 13 Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns handled Sending Access-Challenge of id 8 to 10.0.0.70 port 2050 EAP-Message = 0x0104020d0d8005f9bd300c0603551d13040530030101ff301d0603551d0e04160414b3807b965fdd9f8fee8fca751d47bf2aebac11fd30818d0603551d230481853081828014b3807b965fdd9f8fee8fca751d47bf2aebac11fda15fa45d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613026161310a30080603550403130161820900958dbc5fc22a1e39300d06092a864886f70d010104050003818100a8e4f602c2235087e8a8e93f610ce12e5e3e6a54103b1dccc56529aab99cc32649af EAP-Message = 0x88b6fb15bdb71452ca8657933581fd72e30615d551ba01f76475e2809c53ca6c798138de31621f62e3644e3f847199de6a1a00ce71c631e200b4cf2747a9714a7bb778fec35669dd1c63102371576fc66ec5bbdf2c9f4fd956782216a10b16030100ad0da502010200a0003f303d310b3009060355040613026161310a30080603550408130161310a3008060355040a130161310a3008060355040b130161310a30080603550403130161005d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613 EAP-Message = 0x026161310a300806035504031301610e00 Message-Authenticator = 0x State = 0xba89e950b98de454eff4b9964b6ca194 Tue Nov 20 16:48:05 2012 : Info: Finished request 8. Tue Nov 20 16:48:05 2012 : Debug: Going to the next request Tue Nov 20 16:48:05 2012 : Debug: Waking up in 0.5 seconds. rad_recv: Access-Request packet from host 10.0.0.70 port 2050, id=9, length=1287 User-Name = testuser NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Called-Station-Id = 68-7F-74-64-0A-AA:linksys Calling-Station-Id = 00-23-A7-3B-29-2C Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 0Mbps 802.11 EAP-Message = 0x0204045f0d0016030103030b0002ff0002fc0002f9308202f53082025ea003020102020900958dbc5fc22a1e39300d06092a864886f70d0101040500305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130
EAP-TLS certs
Hi, I have need of certs for 3 clients, for some tests on freeradius with a sniffer that it capture the input. Therefore I want certs of test the type which already use, generated with the script CA.all inside freeradius-1.1.2 sources. How I can make 3 certs for distinct for the clients? Is it possible to modify CA.all in order to create certs for 1 root, 1 server and 3 or more client certs for EAP-TLS (xpextension incuded)? Someone knows gives me of the information also on the guides who can help me? Thousand thanks for all Matteo ;-) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: EAP-TLS
On Thu, Dec 20, 2001 at 08:16:26PM -0800, Raghu wrote: From sockets perspective these are really simple questions, Since EAP handles every basic data transfer, there are no sockets/file descriptors involved. I am really finding hard to get the answers. I don't know anything about EAP. I however can offer you the standard answer for cases without sockets: use BIO-pairs. This way you have full control over the complete I/O process. I do use BIO-pairs in my Postfix/TLS patchkit available at http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/ Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: EAP-TLS
Raghu wrote: Questions: 1. Is BIO interface suitable for the above scenario and can it be used to handle both handshaking data. 2. What are the different TLS/SSL APIs that can provide the following functionality A. Plain text message to TLS-message. B. TLS-message to Plain text message. C. TLS Handshaking APIs. Please provide any sort of information in this regard. Look at demos/state_machine and demos/tunala. Thankyou for the information. I was seeing Openssl 0.9.6b. It doesnot contain the above demos. I have been looking ssl source code, tunala mail archives for the past one week and still have some questions. 1. In state_machine_churn(), we loop twice because there might be some incomplete data in any one of the i/p buffers. Is this is right? If not, please help me in understanding this. ( I did read all the mails related to churn() with subject GSS-API Interface ) 2. Since EAP server can have multiple SSL connections, how can I associate the received data with/belongs to a specific SSL connection. 3. How to identify, if data contained handshake message or the actual data ? 4. I am thinking that SSL_read() SSL_write() handles even handshakes, please correct me if I am wrong. Please help me. From sockets perspective these are really simple questions, Since EAP handles every basic data transfer, there are no sockets/file descriptors involved. I am really finding hard to get the answers. I request someone to answer my questions. -Raghu __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: EAP-TLS
Questions: 1. Is BIO interface suitable for the above scenario and can it be used to handle both handshaking data. 2. What are the different TLS/SSL APIs that can provide the following functionality A. Plain text message to TLS-message. B. TLS-message to Plain text message. C. TLS Handshaking APIs. Please provide any sort of information in this regard. Look at demos/state_machine and demos/tunala. Thankyou for the information. I was seeing Openssl 0.9.6b. It doesnot contain the above demos. I have been looking ssl source code, tunala mail archives for the past one week and still have some questions. 1. In state_machine_churn(), we loop twice because there might be some incomplete data in any one of the i/p buffers. Is this is right? If not, please help me in understanding this. ( I did read all the mails related to churn() with subject GSS-API Interface ) 2. Since EAP server can have multiple SSL connections, how can I associate the received data with/belongs to a specific SSL connection. 3. How to identify, if data contained handshake message or the actual data ? 4. I am thinking that SSL_read() SSL_write() handles even handshakes, please correct me if I am wrong. Please help me. -Raghu __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: EAP-TLS
Raghu wrote: Hi, Repost(from users list) with slight enhancements. I thought, probably, it is a developer question. I just recently joined the OpenSSL world to implement EAP-TLS, rfc2716, using OpenSSL libraries. I could not make any significant progress for the last one week due to lack of documentation on ssl libraries and request your help. EAP Background: EAP-server handles all the transformation of TLS-messages (including handshaking messages). EAP-Server provides plain text message to SSL library for encryption, Similarly, it provides all the cipher text message to SSL library for decryption. To start with, lets say, 1. EAP-Server provides the complete cipher text message with all the (TLS/SSL) records to SSL library for decryption. 2. It is the responsibility of ssl library to handle all the handshaking, encryption decryption of a message and EAP-Server's responsibility to transfer all the messages to EAP-Client. (Please let me know if this is not possible with the existing ssl library) Questions: 1. Is BIO interface suitable for the above scenario and can it be used to handle both handshaking data. 2. What are the different TLS/SSL APIs that can provide the following functionality A. Plain text message to TLS-message. B. TLS-message to Plain text message. C. TLS Handshaking APIs. Please provide any sort of information in this regard. Look at demos/state_machine and demos/tunala. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
EAP-TLS
Hi, Repost(from users list) with slight enhancements. I thought, probably, it is a developer question. I just recently joined the OpenSSL world to implement EAP-TLS, rfc2716, using OpenSSL libraries. I could not make any significant progress for the last one week due to lack of documentation on ssl libraries and request your help. EAP Background: EAP-server handles all the transformation of TLS-messages (including handshaking messages). EAP-Server provides plain text message to SSL library for encryption, Similarly, it provides all the cipher text message to SSL library for decryption. To start with, lets say, 1. EAP-Server provides the complete cipher text message with all the (TLS/SSL) records to SSL library for decryption. 2. It is the responsibility of ssl library to handle all the handshaking, encryption decryption of a message and EAP-Server's responsibility to transfer all the messages to EAP-Client. (Please let me know if this is not possible with the existing ssl library) Questions: 1. Is BIO interface suitable for the above scenario and can it be used to handle both handshaking data. 2. What are the different TLS/SSL APIs that can provide the following functionality A. Plain text message to TLS-message. B. TLS-message to Plain text message. C. TLS Handshaking APIs. Please provide any sort of information in this regard. -Raghu __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]