Hi All An update: I tried using OpenSSL version 9.8c, but got exact same issues.
Wed May 21 19:31:19 2008 : Debug: rlm_eap_tls: Done initial handshake Wed May 21 19:31:19 2008 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 038d], Certificate Wed May 21 19:31:19 2008 : *Error: --> verify error:num=20:unable to get local issuer certificate* Wed May 21 19:31:19 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca Wed May 21 19:31:19 2008 : Error: TLS Alert write:fatal:unknown CA Wed May 21 19:31:19 2008 : Error: TLS_accept:error in SSLv3 read client certificate B Wed May 21 19:31:19 2008 : Error: rlm_eap: SS L error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Wed May 21 19:31:19 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Wed May 21 19:31:19 2008 : Debug: eaptls_process returned 13 On OpenSSL 9.8g, radiusd started giving segmentation fault (may be it's some conflict). I really need a breakthrough now, I don't think there is anything left that I can do now, may be use some other client or sever for my purpose :) - Naunidh ---------------------------------------------------------------------- Message: 1 Date: Wed, 21 May 2008 20:15:06 +0530 From: "Naunidh S Chadha" <[EMAIL PROTECTED]> Subject: EAP TLS testing using eapol_test To: freeradius-users@lists.freeradius.org Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" Hi All I am attempting to authenticate an EAP-TLS using eapol_test tool against FreeRADIUS Version 2.0.3. >From last two days I am getting stumped by certificate issues. Currently I have the following error in my Freeradius log that seems to be the problem. Wed May 21 19:31:19 2008 : Debug: rlm_eap_tls: Done initial handshake Wed May 21 19:31:19 2008 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 038d], Certificate Wed May 21 19:31:19 2008 : *Error: --> verify error:num=20:unable to get local issuer certificate* Wed May 21 19:31:19 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca Wed May 21 19:31:19 2008 : Error: TLS Alert write:fatal:unknown CA Wed May 21 19:31:19 2008 : Error: TLS_accept:error in SSLv3 read client certificate B Wed May 21 19:31:19 2008 : Error: rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Wed May 21 19:31:19 2008 : Error: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. Wed May 21 19:31:19 2008 : Debug: eaptls_process returned 13 >From searching around the net I found that one issue could be that my SSL does not understand that server.pem is a trusted CA. To make that happen I created hashes using the following command, *ln -s client.pem `openssl x509 -hash -noout 5~-in client.pem`.0* for ca.pem/server.pem and client.pem. I then pasted the hashes and .pem files into /usr/share/ssl/certs folder too (out of desperation :) ). After this if I ran the command "openssl verify *.pem" in .../raddb/certs folder, it would return OK for all pem files. IMO this is the best to test that all certificates are in order. I also used the command "openssl verify -CApath . *.pem" (picked it up from Makefile) and it returned OK too. I must add here that my setup is totally as per the docs/config file explanations. The radiusd.conf is configured to use EAP as per the default config, and the certs are made by running the make command in raddb/certs folder. I commented out bootstrap for my exploration. I ran "make client.pem" to create client certificates. The supplicant client uses following configuration file: network={ ssid="1x-test" key_mgmt=WPA-EAP eap=TLS identity="[EMAIL PROTECTED]" ca_cert="/usr/local/etc/raddb/certs/ca.pem" client_cert="/usr/local/etc/raddb/certs/[EMAIL PROTECTED]" private_key="/usr/local/etc/raddb/certs/client.key" private_key_passwd="whatever" eapol_flags=3 } Since the logs are big enough to be a torture for people reading in digest mode, I have put them at http://naunidh.googlepages.com/logs It has output of radiusd -XXX followed by logs of eapol_test tool. My OpenSSL version is 9.7a (supported by Freeradius), My next step would be to upgrade this but it does not look like an OpenSSL issue, Upgrading this would be a pain at the moment as lot of people are dependent on the setup, but this is the only recourse left from my side. Any help would be greatly appreciated. Sorry for the long mail, but I could not shorten it any more without missing something important. Thanks All - Naunidh
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html