Hi,
I am a newbie to Freeradius and I am having a real hard time to implement
EAP-TLS using self-signed certificate.
My certificate seems valid:
Server Certificate
[root@localhost CA]# openssl verify -CAfile /etc/pki/CA/cacert.pem xplab.pem
xplab.pem: OK
Client certificate
[root@localhost CA]# openssl verify -CAfile /etc/pki/CA/cacert.pem bob.pem
bob.pem: OK
When I run
[root@localhost CA]# eapol_test -c /opt/EAP-RADIUS/eap-tls.conf -s testing123,
I have the following results:
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): cf cd 8c f0 17 49 11 13 d6 7d fe cb b1 65 00
1d 85 c2 ef a5 33 35 78 00 b8 a1 0a 9d 02 4b 06 45
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1 mismatch: 0
SUCCESS
using the following eap-tls.conf
# eapol_test -c eap-tls.conf -s testing123
#
network={
key_mgmt=IEEE8021X
eap=TLS
eapol_flags=0
eap_workaround=0
identity="bob"
ca_cert="/etc/pki/CA/cacert.pem"
client_cert="/etc/pki/CA/bob.der"
private_key="/etc/pki/CA/bob.key"
private_key_passwd="abc123"
#
# Uncomment the following to perform server certificate validation.
ca_cert="/etc/pki/CA/cacert.pem"
}
My problem is the following error message when running eapol_test
TLS: Trusted root certificate(s) loaded
OpenSSL: SSL_use_certificate_file (DER) --> OK
OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
OpenSSL: pending error: error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
OpenSSL: pending error: error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:140CB00D:SSL
routines:SSL_use_PrivateKey_file:ASN1 lib
OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK
SSL: Private key loaded successfully
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
I would like to know if this means that my certificates are not valid even if
the eapol_test seems successful. I was not able to find any information on the
meaning of these messages. These messages are similar to what I have when I
run the wpa_supplicant from my client machine. Since I am not able to
authenticate from wpa_supplicant (failed to private key), I think that it might
be possible that the certificate are wrong.
wpa_supplicant.conf
ap_scan=0
network={
key_mgmt=WPA-EAP
eap=TLS
identity="bob"
ca_cert="/etc/ssl/demoCA/cacert.pem"
client_cert="/etc/ssl/demoCA/certs/bob.pem"
private_key="/etc/ssl/demoCA/private/bob.key"
private_key_passwd="abc123"
eapol_flags=0
}
wpa_supplicant -c /etc/wpa_supplicant.conf -D wired -i br0
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
OpenSSL: pending error: error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:140C800D:SSL
routines:SSL_use_certificate_file:ASN1 lib
OpenSSL: pending error: error:0D0680A8:asn1 encoding
routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:0D09A00D:asn1 encoding
routines:d2i_PrivateKey:ASN1 lib
OpenSSL: pending error: error:140CB00D:SSL
routines:SSL_use_PrivateKey_file:ASN1 lib
OpenSSL: pending error: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12
algor cipherinit error
OpenSSL: pending error: error:2306A075:PKCS12
routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
OpenSSL: pending error: error:0907B00D:PEM
routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
OpenSSL: pending error: error:140CB009:SSL routines:SSL_use_PrivateKey_file:PEM
lib
OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1
encoding routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: Failed to load private key
Thanks for your help
Stephane
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
