I've tried that scripts, also scripts from Raymond Mc Kay and Ken Roser, but it seems that the client certs generated from those scripts have problem when it's installed in the XP machine. It says: the integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered. The root cert is installed properly, and is valid ! I have no idea what caused the problem
So, I use my own script to generate the certs, which is okay, when it's installed in xp:
*********
CA
*********
/usr/local/openssl/bin/openssl req -new -x509 -keyout cakey.pem -out ca_request.pem -days 888
CA
*********
/usr/local/openssl/bin/openssl req -new -x509 -keyout cakey.pem -out ca_request.pem -days 888
/usr/local/openssl/bin/openssl pkcs12 -export -in ca_request.pem -inkey cakey.pem -out ca.p12 -cacerts
/usr/local/openssl/bin/openssl pkcs12 -in ca.p12 -out ca.pem
*********
Client
*********
/usr/local/openssl/bin/openssl req -new -keyout clientkey.pem -out client_request.pem -days 888
Client
*********
/usr/local/openssl/bin/openssl req -new -keyout clientkey.pem -out client_request.pem -days 888
cat client_request.pem >client_new.pem
cat clientkey.pem >>client_new.pem
cat clientkey.pem >>client_new.pem
/usr/local/openssl/bin/openssl ca -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile /usr/local/openssl/ssl/misc/xpextensions -infiles client_new.pem
/usr/local/openssl/bin/openssl pkcs12 -export -in client_cert.pem -inkey clientkey.pem -out client.p12 -clcerts
********
Server
********
/usr/local/openssl/bin/openssl req -new -keyout serverkey.pem -out server_request.pem -days 888
Server
********
/usr/local/openssl/bin/openssl req -new -keyout serverkey.pem -out server_request.pem -days 888
cat server_request.pem >server_new.pem
cat serverkey.pem >>server_new.pem
cat serverkey.pem >>server_new.pem
/usr/local/openssl/bin/openssl ca -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile /usr/local/openssl/ssl/misc/xpextensions -infiles server_new.pem
/usr/local/openssl/bin/openssl pkcs12 -export -in server_cert.pem -inkey serverkey.pem -out server.p12 -clcerts
With the certs generated from the above script, eap/tls auth can be iniated, though it failed with the "Invalid ACK received" ...
I just need to understand what caused this problem ... I've traced the code, seems that there's something wrong with the packet from client ... Can somebody shed a light on what happens ?
is it the cert that caused the problem ? fragment size ? I've tried fragment size 1024, 512, 256 ... but problem's still there...
I've tried disabling "validate server certificate", however this time I got another problem:
26431:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2010:
Thanks,
lara
Alan DeKok <[EMAIL PROTECTED]> wrote:
Lara Adianto <[EMAIL PROTECTED]>wrote:
> According to the posting, the problem lies in the server cert, that the client fails to validate, hence client will return invalid ack.
>
> My question is how can one make sure that the cert generated is valid ?
scripts/CA.certs
Run it, and it will generate some test certificates.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________________________
Do
You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
