Found a previous postings like this where Alan Dekok answered that
FreeRadius use SSL from openssl, and if SSL supports any advanced
algorithm FreeRadius should support it (I actually added a patch to
FreeRadius to make sure this supports all digests). I am currently
trying to find out whether I have linked the right openssl libraries
when building the FreeRadius. I am unable to find out whether
FreeRadius is being built with Solaris prebuilt openssl version 0.9.7d
at /usr/sfw, or my newly installed openssl version 0.9.8h at
/usr/local (with library /usr/local/ssl/lib). I have however few
questions , and I would appreciate your reply:
1. How to create CAcert.pem (root certs), server.pem (device certs),
and server_pvt_key.pem (private key file) for server, and same for
client to test TTLS, and TLS. It could be self signed.
2. Also how to create certs using different algorithm (sha1, sha2,
sha256 etc.) ?
I need to create certs to test EAP-TLS/TTLS using WiMAX AP.
Thanks, and appreciate your help.
On 8/12/08, Sergio <[EMAIL PROTECTED]> wrote:
> Rafiqul Ahsan escribió:
>
> > I see an error like below when trying to use EAP_TLS/TTLS
> > authentication with Certs that has Signature Algorithm:
> > sha256WithRSAEncryption . Can anybody tell me why SSL does not like
> > the TLS session ?
> >
> > I would appreciate your help. here is the radiusd -X log:
> >
> > ++[suffix] returns noop
> > rlm_eap: EAP packet type response id 142 length 13
> > rlm_eap: Continuing tunnel setup.
> > ++[eap] returns ok
> > rad_check_password: Found Auth-Type EAP
> > auth: type "EAP"
> > +- entering group authenticate
> > rlm_eap: Request found, released from the list
> > rlm_eap: EAP/ttls
> > rlm_eap: processing type ttls
> > rlm_eap_ttls: Authenticate
> > rlm_eap_tls: processing TLS
> > eaptls_verify returned 7
> > rlm_eap_tls: Done initial handshake
> > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal decrypt_error
> > TLS Alert read:fatal:decrypt error
> > TLS_accept:failed in SSLv3 read client certificate A
> > rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> decry
> > pt error
> > rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
> > eaptls_process returned 13
> > rlm_eap: Freeing handler
> > ++[eap] returns reject
> > auth: Failed to validate the user.
> > Found Post-Auth-Type Reject
> > +- entering group REJECT
> > expand: %{User-Name} -> anonymous_identity
> > attr_filter: Matched entry DEFAULT at line 11
> > ++[attr_filter.access_reject] returns updated
> > Sending Access-Reject of id 142 to 10.19.198.231 port 19801
> >
> >
> >
> Hi,
> recently i tried to use certs with SHA-2 sign and got the same error.
> Probaly freeradius doesn't support (also) this size of sign. You can ask
> about this into freeradius mailing list. Try to put a cert with SHA-1
> algorithm and you will see it working.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
--
Rafiqul Ahsan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
