Hi,
I am using radius server for authinticating my ThinClient Laptop for
WirelessAP in TLS security mode.
But my radius server is saying unknown ca.
my radius tls config looks like:
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/pki/tls/misc/server_key.pem"
certificate_file = "/etc/pki/tls/misc/server_cert.pem"
CA_file = "/etc/pki/CA/cacert.pem"
private_key_password = "hello"
dh_file = "/etc/raddb/certs/dh"
random_file = "/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/raddb/certs/bootstrap"
In my client Laptop when i entered the "Enter Certificate passphrase" EAP is
failed.
I am entering the same "hello" as my cert phasephrase which i gave when
created the pkcs12 cert Export time.
./CA.pl -newca
openssl req -new -keyout server_key.pem -out server_req.pem -days 730
openssl ca -policy policy_anything -out server_cert.pem -infiles
server_req.pem
openssl req -new -keyout client_key.pem -out client_req.pem -days 730
openssl ca -policy policy_anything -out client_cert.pem -infiles
client_req.pem
openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out
client-cert.p12 -clcerts
[For all passphrase i used "hello" only]
I verified the cacert.pem, client_cert.pem and server_cert.pem all are ok.
==================================================
[r...@gda misc]# openssl x509 -text -in /etc/pki/CA/cacert.pem
==================================================
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c6:44:66:76:3a:ed:a0:19
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IN, ST=TamilNadu, O=GDATECH, OU=Software, CN=Thin
Client/emailaddress=r.as...@gdatech.co.in
Validity
Not Before: Oct 23 09:00:53 2009 GMT
Not After : Oct 22 09:00:53 2012 GMT
Subject: C=IN, ST=TamilNadu, O=GDATECH, OU=Software, CN=Thin
Client/emailaddress=r.as...@gdatech.co.in
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b9:05:83:e8:96:f7:10:c8:51:23:48:2f:a2:e7:
ac:f5:bd:89:bb:63:97:7c:d4:29:df:25:df:04:0e:
c3:f8:08:8a:41:cf:3b:db:e8:ab:d1:b1:5b:c8:2b:
2a:b7:1c:1b:59:60:ff:be:28:84:45:9f:05:dc:77:
4d:fc:da:82:08:81:2f:a7:6f:07:fb:67:da:37:fb:
f8:e6:db:ee:2a:a0:86:53:f7:19:a1:35:64:3e:5d:
13:0f:a7:dd:40:b9:80:aa:67:67:b6:3b:58:77:23:
6c:e7:52:b4:80:d2:db:e5:13:1a:ac:e2:b1:f4:6d:
41:c9:73:22:bd:eb:44:cb:83
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
A0:BE:BF:A8:AB:6B:63:27:A7:78:FF:C6:67:71:A8:84:BA:E3:C7:A4
X509v3 Authority Key Identifier:
keyid:A0:BE:BF:A8:AB:6B:63:27:A7:78:FF:C6:67:71:A8:84:BA:E3:C7:A4
DirName:/C=IN/ST=TamilNadu/O=GDATECH/OU=Software/CN=Thin
Client/emailaddress=r.as...@gdatech.co.in
serial:C6:44:66:76:3A:ED:A0:19
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
01:6e:02:e8:63:3d:27:bc:3e:df:51:6a:ce:cf:1f:08:c4:ef:
8d:f0:2a:1a:0b:a0:4b:54:a2:ef:b3:e6:6c:4d:73:72:a3:2b:
46:ff:9d:5f:2e:2a:c6:9b:3f:c7:53:27:24:39:bb:d3:d5:ed:
12:15:08:c4:52:72:ba:a2:5a:60:f9:f6:b7:76:b1:87:f8:07:
38:62:cc:d6:b1:32:86:c2:81:33:7b:f3:63:1b:51:58:9f:85:
e2:c9:6d:0a:c6:69:f6:1d:42:05:7f:e8:86:2f:00:3c:0c:19:
a3:97:39:9f:5f:2a:8b:65:63:9a:fd:37:a9:09:52:7e:20:da:
4c:ae
-----BEGIN CERTIFICATE-----
MIIDbzCCAtigAwIBAgIJAMZEZnY67aAZMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYD
VQQGEwJJTjESMBAGA1UECBMJVGFtaWxOYWR1MRAwDgYDVQQKEwdHREFURUNIMREw
DwYDVQQLEwhTb2Z0d2FyZTEUMBIGA1UEAxMLVGhpbiBDbGllbnQxJDAiBgkqhkiG
9w0BCQEWFXIuYXNob2tAZ2RhdGVjaC5jby5pbjAeFw0wOTEwMjMwOTAwNTNaFw0x
MjEwMjIwOTAwNTNaMIGCMQswCQYDVQQGEwJJTjESMBAGA1UECBMJVGFtaWxOYWR1
MRAwDgYDVQQKEwdHREFURUNIMREwDwYDVQQLEwhTb2Z0d2FyZTEUMBIGA1UEAxML
VGhpbiBDbGllbnQxJDAiBgkqhkiG9w0BCQEWFXIuYXNob2tAZ2RhdGVjaC5jby5p
bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuQWD6Jb3EMhRI0gvoues9b2J
u2OXfNQp3yXfBA7D+AiKQc872+ir0bFbyCsqtxwbWWD/viiERZ8F3HdN/NqCCIEv
p28H+2faN/v45tvuKqCGU/cZoTVkPl0TD6fdQLmAqmdntjtYdyNs51K0gNLb5RMa
rOKx9G1ByXMivetEy4MCAwEAAaOB6jCB5zAdBgNVHQ4EFgQUoL6/qKtrYyeneP/G
Z3GohLrjx6QwgbcGA1UdIwSBrzCBrIAUoL6/qKtrYyeneP/GZ3GohLrjx6ShgYik
gYUwgYIxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlUYW1pbE5hZHUxEDAOBgNVBAoT
B0dEQVRFQ0gxETAPBgNVBAsTCFNvZnR3YXJlMRQwEgYDVQQDEwtUaGluIENsaWVu
dDEkMCIGCSqGSIb3DQEJARYVci5hc2hva0BnZGF0ZWNoLmNvLmluggkAxkRmdjrt
oBkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQABbgLoYz0nvD7fUWrO
zx8IxO+N8CoaC6BLVKLvs+ZsTXNyoytG/51fLirGmz/HUyckObvT1e0SFQjEUnK6
olpg+fa3drGH+Ac4YszWsTKGwoEze/NjG1FYn4XiyW0Kxmn2HUIFf+iGLwA8DBmj
lzmfXyqLZWOa/TepCVJ+INpMrg==
-----END CERTIFICATE-----
============================================
[r...@gda misc]# openssl x509 -text -in server_cert.pem
============================================
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c6:44:66:76:3a:ed:a0:1c
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IN, ST=TamilNadu, O=GDATECH, OU=Software, CN=Thin
Client/emailaddress=r.as...@gdatech.co.in
Validity
Not Before: Oct 28 06:37:03 2009 GMT
Not After : Oct 28 06:37:03 2010 GMT
Subject: C=IN, ST=TamilNadu, L=Chennai, O=GDATECH, OU=Software,
CN=ThinClient/emailaddress=r.as...@gdatech.co.in
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c7:e1:5b:68:42:74:99:4c:6c:f6:a7:17:b0:6c:
13:a2:c4:ec:aa:ac:fa:bb:c5:80:da:eb:5e:d6:b5:
0b:3e:76:d3:8d:10:d2:e7:7e:7d:c6:08:64:91:f6:
62:c4:27:bd:f6:b5:75:3c:c9:18:67:e0:39:7c:44:
14:b4:8d:45:ec:f7:bc:b9:f5:c7:55:f6:69:76:80:
15:0d:84:8f:ea:44:f0:83:98:29:ec:26:5d:a5:d1:
21:5c:7a:7f:da:51:91:6f:e2:a7:83:92:2e:b0:c2:
4d:ef:72:74:f1:54:9c:a5:d0:e0:77:56:3e:8a:c9:
27:1b:78:74:12:80:86:cf:db
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
50:EC:14:A8:7C:88:1B:EB:6E:B3:05:0E:3D:BB:2C:97:9F:FA:75:5F
X509v3 Authority Key Identifier:
keyid:A0:BE:BF:A8:AB:6B:63:27:A7:78:FF:C6:67:71:A8:84:BA:E3:C7:A4
Signature Algorithm: sha1WithRSAEncryption
b7:85:5e:dd:06:6c:d7:eb:e9:32:37:ae:61:fd:36:83:dc:46:
6a:17:72:77:ad:56:c2:90:9a:e3:a3:9c:ff:89:6f:7a:bf:ad:
86:39:a8:e4:c4:c8:e6:a6:a5:b2:da:06:5d:3e:89:23:02:3e:
63:16:49:03:57:7b:1b:c7:ea:72:fb:5e:eb:00:68:35:bd:1a:
60:e2:58:9c:18:04:c7:4f:a6:75:59:73:ea:7f:ca:72:97:45:
fc:ef:ef:32:72:11:c4:0f:65:99:8a:dd:1e:5f:78:3f:6a:9c:
a1:9f:a2:26:0e:0d:1b:b2:c6:ee:1f:10:3d:8e:d3:c6:0d:2a:
5a:d6
-----BEGIN CERTIFICATE-----
MIIDEDCCAnmgAwIBAgIJAMZEZnY67aAcMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYD
VQQGEwJJTjESMBAGA1UECBMJVGFtaWxOYWR1MRAwDgYDVQQKEwdHREFURUNIMREw
DwYDVQQLEwhTb2Z0d2FyZTEUMBIGA1UEAxMLVGhpbiBDbGllbnQxJDAiBgkqhkiG
9w0BCQEWFXIuYXNob2tAZ2RhdGVjaC5jby5pbjAeFw0wOTEwMjgwNjM3MDNaFw0x
MDEwMjgwNjM3MDNaMIGTMQswCQYDVQQGEwJJTjESMBAGA1UECBMJVGFtaWxOYWR1
MRAwDgYDVQQHEwdDaGVubmFpMRAwDgYDVQQKEwdHREFURUNIMREwDwYDVQQLEwhT
b2Z0d2FyZTETMBEGA1UEAxMKVGhpbkNsaWVudDEkMCIGCSqGSIb3DQEJARYVci5h
c2hva0BnZGF0ZWNoLmNvLmluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDH
4VtoQnSZTGz2pxewbBOixOyqrPq7xYDa617WtQs+dtONENLnfn3GCGSR9mLEJ732
tXU8yRhn4Dl8RBS0jUXs97y59cdV9ml2gBUNhI/qRPCDmCnsJl2l0SFcen/aUZFv
4qeDki6wwk3vcnTxVJyl0OB3Vj6KyScbeHQSgIbP2wIDAQABo3sweTAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUUOwUqHyIG+tuswUOPbssl5/6dV8wHwYDVR0jBBgwFoAUoL6/
qKtrYyeneP/GZ3GohLrjx6QwDQYJKoZIhvcNAQEFBQADgYEAt4Ve3QZs1+vpMjeu
Yf02g9xGahdyd61WwpCa46Oc/4lver+thjmo5MTI5qalstoGXT6JIwI+YxZJA1d7
G8fqcvte6wBoNb0aYOJYnBgEx0+mdVlz6n/KcpdF/O/vMnIRxA9lmYrdHl94P2qc
oZ+iJg4NG7LG7h8QPY7Txg0qWtY=
-----END CERTIFICATE-----
===================================================
[r...@gda misc]# openssl x509 -text -in client_cert.pem
===================================================
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c6:44:66:76:3a:ed:a0:1d
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IN, ST=TamilNadu, O=GDATECH, OU=Software, CN=Thin
Client/emailaddress=r.as...@gdatech.co.in
Validity
Not Before: Oct 28 06:39:06 2009 GMT
Not After : Oct 28 06:39:06 2010 GMT
Subject: C=IN, ST=TamilNadu, L=Chennai, O=GDATECH, OU=Software,
CN=ThinClient/emailaddress=r.as...@gdatech.co.in
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a5:e2:7a:e7:91:df:6b:e3:b5:61:fb:b4:d0:54:
7e:ed:b9:66:6d:56:ef:fd:62:04:6d:31:52:a0:28:
b5:86:ca:b6:ba:e0:0b:89:72:17:e0:44:e0:ae:58:
91:39:5f:8b:ba:71:ff:6c:4a:b5:56:d5:6c:3e:97:
07:75:e3:2b:48:62:72:47:55:70:9c:53:11:a9:99:
5c:ad:19:54:03:c8:a0:c7:96:fb:71:a0:3e:2a:d3:
7d:4e:ec:97:cd:f5:47:78:d8:81:82:0b:a2:c4:4c:
ff:41:ef:dc:00:ea:b5:53:dd:94:ae:d8:fc:24:ab:
da:7d:a7:2e:bb:a4:d9:d3:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B0:B1:61:E5:B9:FB:3D:41:C9:F6:F6:46:67:F7:07:56:52:25:2E:B8
X509v3 Authority Key Identifier:
keyid:A0:BE:BF:A8:AB:6B:63:27:A7:78:FF:C6:67:71:A8:84:BA:E3:C7:A4
Signature Algorithm: sha1WithRSAEncryption
45:3d:fa:9a:9e:b8:cf:42:33:25:29:de:89:5e:8f:24:0d:95:
0d:a4:12:9d:dc:30:d8:18:d1:45:b1:ec:3b:e3:8a:ee:ad:5c:
c2:c1:04:8a:4d:f9:52:98:59:80:ce:d4:ed:85:a3:d4:f3:d7:
87:cf:4a:8a:cc:77:b6:90:9d:fb:ef:48:25:35:6d:ee:59:da:
e5:81:b3:72:b8:f4:84:de:64:0b:c5:fe:1d:dd:c8:7e:77:63:
b0:a1:ba:c6:d7:ca:85:61:b7:43:7b:be:3c:0a:da:eb:02:33:
00:40:fa:be:6c:79:1d:b5:9a:e9:05:6c:7b:8a:42:55:e8:d3:
7f:01
-----BEGIN CERTIFICATE-----
MIIDEDCCAnmgAwIBAgIJAMZEZnY67aAdMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYD
VQQGEwJJTjESMBAGA1UECBMJVGFtaWxOYWR1MRAwDgYDVQQKEwdHREFURUNIMREw
DwYDVQQLEwhTb2Z0d2FyZTEUMBIGA1UEAxMLVGhpbiBDbGllbnQxJDAiBgkqhkiG
9w0BCQEWFXIuYXNob2tAZ2RhdGVjaC5jby5pbjAeFw0wOTEwMjgwNjM5MDZaFw0x
MDEwMjgwNjM5MDZaMIGTMQswCQYDVQQGEwJJTjESMBAGA1UECBMJVGFtaWxOYWR1
MRAwDgYDVQQHEwdDaGVubmFpMRAwDgYDVQQKEwdHREFURUNIMREwDwYDVQQLEwhT
b2Z0d2FyZTETMBEGA1UEAxMKVGhpbkNsaWVudDEkMCIGCSqGSIb3DQEJARYVci5h
c2hva0BnZGF0ZWNoLmNvLmluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl
4nrnkd9r47Vh+7TQVH7tuWZtVu/9YgRtMVKgKLWGyra64AuJchfgROCuWJE5X4u6
cf9sSrVW1Ww+lwd14ytIYnJHVXCcUxGpmVytGVQDyKDHlvtxoD4q031O7JfN9Ud4
2IGCC6LETP9B79wA6rVT3ZSu2Pwkq9p9py67pNnTZwIDAQABo3sweTAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUsLFh5bn7PUHJ9vZGZ/cHVlIlLrgwHwYDVR0jBBgwFoAUoL6/
qKtrYyeneP/GZ3GohLrjx6QwDQYJKoZIhvcNAQEFBQADgYEART36mp64z0IzJSne
iV6PJA2VDaQSndww2BjRRbHsO+OK7q1cwsEEik35UphZgM7U7YWj1PPXh89Kisx3
tpCd++9IJTVt7lna5YGzcrj0hN5kC8X+Hd3IfndjsKG6xtfKhWG3Q3u+PAra6wIz
AED6vmx5HbWa6QVse4pCVejTfwE=
-----END CERTIFICATE-----
[r...@gda misc]# tree /etc/pki/
/etc/pki/
|-- CA
| |-- cacert.pem
| |-- careq.pem
| |-- certs
| |-- crl
| |-- crlnumber
| |-- index.txt
| |-- index.txt.attr
| |-- index.txt.attr.old
| |-- index.txt.old
| |-- newcerts
| | |-- C64466763AEDA019.pem
| | |-- C64466763AEDA01A.pem
| | |-- C64466763AEDA01B.pem
| | |-- C64466763AEDA01C.pem
| | `-- C64466763AEDA01D.pem
| |-- private
| | `-- cakey.pem
| |-- serial
| `-- serial.old
`-- tls
|-- cert -> certs/ca-bundle.crt
|-- cert.pem -> /etc/pki/CA/cacert.pem
|-- certs
| |-- Makefile
| |-- ca-bundle.crt
| `-- make-dummy-cert
|-- misc
| |-- CA
| |-- CA.pl
| |-- c_hash
| |-- c_info
| |-- c_issuer
| |-- c_name
| |-- cacert.p12
| |-- certs
| |-- client-cert.p12
| |-- client_cert.pem
| |-- client_key.pem
| |-- client_req.pem
| |-- server_cert.pem
| |-- server_key.pem
| `-- server_req.pem
|-- openssl.cnf
`-- private
RADIUSD server log::
================
[tls] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
======================================================
http://www.nabble.com/file/p26094597/radius_log.txt radius_log.txt
--
View this message in context:
http://www.nabble.com/TLS-Alert-read%3Afatal%3Aunknown-CA-tp26094597p26094597.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
