Radius needs to be set up to trust that CA. That isn't an openssl
question, that's a radius question.
-Kyle H
On Wed, Oct 28, 2009 at 6:25 AM, ashokgda <r.as...@gdatech.co.in> wrote:
>
> Hi,
>
> I am using radius server for authinticating my ThinClient Laptop for
> WirelessAP in TLS security mode.
> But my radius server is saying unknown ca.
>
> my radius tls config looks like:
> tls {
> rsa_key_exchange = no
> dh_key_exchange = yes
> rsa_key_length = 512
> dh_key_length = 512
> verify_depth = 0
> pem_file_type = yes
> private_key_file = "/etc/pki/tls/misc/server_key.pem"
> certificate_file = "/etc/pki/tls/misc/server_cert.pem"
> CA_file = "/etc/pki/CA/cacert.pem"
> private_key_password = "hello"
> dh_file = "/etc/raddb/certs/dh"
> random_file = "/etc/raddb/certs/random"
> fragment_size = 1024
> include_length = yes
> check_crl = no
> cipher_list = "DEFAULT"
> make_cert_command = "/etc/raddb/certs/bootstrap"
>
> In my client Laptop when i entered the "Enter Certificate passphrase" EAP is
> failed.
> I am entering the same "hello" as my cert phasephrase which i gave when
> created the pkcs12 cert Export time.
>
> ./CA.pl -newca
> openssl req -new -keyout server_key.pem -out server_req.pem -days 730
> openssl ca -policy policy_anything -out server_cert.pem -infiles
> server_req.pem
> openssl req -new -keyout client_key.pem -out client_req.pem -days 730
> openssl ca -policy policy_anything -out client_cert.pem -infiles
> client_req.pem
> openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out
> client-cert.p12 -clcerts
> [For all passphrase i used "hello" only]
>
> I verified the cacert.pem, client_cert.pem and server_cert.pem all are ok.
> ==================================================
> [r...@gda misc]# openssl x509 -text -in /etc/pki/CA/cacert.pem
> ==================================================
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> c6:44:66:76:3a:ed:a0:19
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=IN, ST=TamilNadu, O=GDATECH, OU=Software, CN=Thin
> Client/emailaddress=r.as...@gdatech.co.in
> Validity
> Not Before: Oct 23 09:00:53 2009 GMT
> Not After : Oct 22 09:00:53 2012 GMT
> Subject: C=IN, ST=TamilNadu, O=GDATECH, OU=Software, CN=Thin
> Client/emailaddress=r.as...@gdatech.co.in
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:b9:05:83:e8:96:f7:10:c8:51:23:48:2f:a2:e7:
> ac:f5:bd:89:bb:63:97:7c:d4:29:df:25:df:04:0e:
> c3:f8:08:8a:41:cf:3b:db:e8:ab:d1:b1:5b:c8:2b:
> 2a:b7:1c:1b:59:60:ff:be:28:84:45:9f:05:dc:77:
> 4d:fc:da:82:08:81:2f:a7:6f:07:fb:67:da:37:fb:
> f8:e6:db:ee:2a:a0:86:53:f7:19:a1:35:64:3e:5d:
> 13:0f:a7:dd:40:b9:80:aa:67:67:b6:3b:58:77:23:
> 6c:e7:52:b4:80:d2:db:e5:13:1a:ac:e2:b1:f4:6d:
> 41:c9:73:22:bd:eb:44:cb:83
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Subject Key Identifier:
> A0:BE:BF:A8:AB:6B:63:27:A7:78:FF:C6:67:71:A8:84:BA:E3:C7:A4
> X509v3 Authority Key Identifier:
>
> keyid:A0:BE:BF:A8:AB:6B:63:27:A7:78:FF:C6:67:71:A8:84:BA:E3:C7:A4
> DirName:/C=IN/ST=TamilNadu/O=GDATECH/OU=Software/CN=Thin
> Client/emailaddress=r.as...@gdatech.co.in
> serial:C6:44:66:76:3A:ED:A0:19
>
> X509v3 Basic Constraints:
> CA:TRUE
> Signature Algorithm: sha1WithRSAEncryption
> 01:6e:02:e8:63:3d:27:bc:3e:df:51:6a:ce:cf:1f:08:c4:ef:
> 8d:f0:2a:1a:0b:a0:4b:54:a2:ef:b3:e6:6c:4d:73:72:a3:2b:
> 46:ff:9d:5f:2e:2a:c6:9b:3f:c7:53:27:24:39:bb:d3:d5:ed:
> 12:15:08:c4:52:72:ba:a2:5a:60:f9:f6:b7:76:b1:87:f8:07:
> 38:62:cc:d6:b1:32:86:c2:81:33:7b:f3:63:1b:51:58:9f:85:
> e2:c9:6d:0a:c6:69:f6:1d:42:05:7f:e8:86:2f:00:3c:0c:19:
> a3:97:39:9f:5f:2a:8b:65:63:9a:fd:37:a9:09:52:7e:20:da:
> 4c:ae
> -----BEGIN CERTIFICATE-----
> MIIDbzCCAtigAwIBAgIJAMZEZnY67aAZMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYD
> VQQGEwJJTjESMBAGA1UECBMJVGFtaWxOYWR1MRAwDgYDVQQKEwdHREFURUNIMREw
> DwYDVQQLEwhTb2Z0d2FyZTEUMBIGA1UEAxMLVGhpbiBDbGllbnQxJDAiBgkqhkiG
> 9w0BCQEWFXIuYXNob2tAZ2RhdGVjaC5jby5pbjAeFw0wOTEwMjMwOTAwNTNaFw0x
> MjEwMjIwOTAwNTNaMIGCMQswCQYDVQQGEwJJTjESMBAGA1UECBMJVGFtaWxOYWR1
> MRAwDgYDVQQKEwdHREFURUNIMREwDwYDVQQLEwhTb2Z0d2FyZTEUMBIGA1UEAxML
> VGhpbiBDbGllbnQxJDAiBgkqhkiG9w0BCQEWFXIuYXNob2tAZ2RhdGVjaC5jby5p
> bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuQWD6Jb3EMhRI0gvoues9b2J
> u2OXfNQp3yXfBA7D+AiKQc872+ir0bFbyCsqtxwbWWD/viiERZ8F3HdN/NqCCIEv
> p28H+2faN/v45tvuKqCGU/cZoTVkPl0TD6fdQLmAqmdntjtYdyNs51K0gNLb5RMa
> rOKx9G1ByXMivetEy4MCAwEAAaOB6jCB5zAdBgNVHQ4EFgQUoL6/qKtrYyeneP/G
> Z3GohLrjx6QwgbcGA1UdIwSBrzCBrIAUoL6/qKtrYyeneP/GZ3GohLrjx6ShgYik
> gYUwgYIxCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlUYW1pbE5hZHUxEDAOBgNVBAoT
> B0dEQVRFQ0gxETAPBgNVBAsTCFNvZnR3YXJlMRQwEgYDVQQDEwtUaGluIENsaWVu
> dDEkMCIGCSqGSIb3DQEJARYVci5hc2hva0BnZGF0ZWNoLmNvLmluggkAxkRmdjrt
> oBkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQABbgLoYz0nvD7fUWrO
> zx8IxO+N8CoaC6BLVKLvs+ZsTXNyoytG/51fLirGmz/HUyckObvT1e0SFQjEUnK6
> olpg+fa3drGH+Ac4YszWsTKGwoEze/NjG1FYn4XiyW0Kxmn2HUIFf+iGLwA8DBmj
> lzmfXyqLZWOa/TepCVJ+INpMrg==
> -----END CERTIFICATE-----
>
> ============================================
> [r...@gda misc]# openssl x509 -text -in server_cert.pem
> ============================================
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> c6:44:66:76:3a:ed:a0:1c
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=IN, ST=TamilNadu, O=GDATECH, OU=Software, CN=Thin
> Client/emailaddress=r.as...@gdatech.co.in
> Validity
> Not Before: Oct 28 06:37:03 2009 GMT
> Not After : Oct 28 06:37:03 2010 GMT
> Subject: C=IN, ST=TamilNadu, L=Chennai, O=GDATECH, OU=Software,
> CN=ThinClient/emailaddress=r.as...@gdatech.co.in
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:c7:e1:5b:68:42:74:99:4c:6c:f6:a7:17:b0:6c:
> 13:a2:c4:ec:aa:ac:fa:bb:c5:80:da:eb:5e:d6:b5:
> 0b:3e:76:d3:8d:10:d2:e7:7e:7d:c6:08:64:91:f6:
> 62:c4:27:bd:f6:b5:75:3c:c9:18:67:e0:39:7c:44:
> 14:b4:8d:45:ec:f7:bc:b9:f5:c7:55:f6:69:76:80:
> 15:0d:84:8f:ea:44:f0:83:98:29:ec:26:5d:a5:d1:
> 21:5c:7a:7f:da:51:91:6f:e2:a7:83:92:2e:b0:c2:
> 4d:ef:72:74:f1:54:9c:a5:d0:e0:77:56:3e:8a:c9:
> 27:1b:78:74:12:80:86:cf:db
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> 50:EC:14:A8:7C:88:1B:EB:6E:B3:05:0E:3D:BB:2C:97:9F:FA:75:5F
> X509v3 Authority Key Identifier:
>
> keyid:A0:BE:BF:A8:AB:6B:63:27:A7:78:FF:C6:67:71:A8:84:BA:E3:C7:A4
>
> Signature Algorithm: sha1WithRSAEncryption
> b7:85:5e:dd:06:6c:d7:eb:e9:32:37:ae:61:fd:36:83:dc:46:
> 6a:17:72:77:ad:56:c2:90:9a:e3:a3:9c:ff:89:6f:7a:bf:ad:
> 86:39:a8:e4:c4:c8:e6:a6:a5:b2:da:06:5d:3e:89:23:02:3e:
> 63:16:49:03:57:7b:1b:c7:ea:72:fb:5e:eb:00:68:35:bd:1a:
> 60:e2:58:9c:18:04:c7:4f:a6:75:59:73:ea:7f:ca:72:97:45:
> fc:ef:ef:32:72:11:c4:0f:65:99:8a:dd:1e:5f:78:3f:6a:9c:
> a1:9f:a2:26:0e:0d:1b:b2:c6:ee:1f:10:3d:8e:d3:c6:0d:2a:
> 5a:d6
> -----BEGIN CERTIFICATE-----
> MIIDEDCCAnmgAwIBAgIJAMZEZnY67aAcMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYD
> VQQGEwJJTjESMBAGA1UECBMJVGFtaWxOYWR1MRAwDgYDVQQKEwdHREFURUNIMREw
> DwYDVQQLEwhTb2Z0d2FyZTEUMBIGA1UEAxMLVGhpbiBDbGllbnQxJDAiBgkqhkiG
> 9w0BCQEWFXIuYXNob2tAZ2RhdGVjaC5jby5pbjAeFw0wOTEwMjgwNjM3MDNaFw0x
> MDEwMjgwNjM3MDNaMIGTMQswCQYDVQQGEwJJTjESMBAGA1UECBMJVGFtaWxOYWR1
> MRAwDgYDVQQHEwdDaGVubmFpMRAwDgYDVQQKEwdHREFURUNIMREwDwYDVQQLEwhT
> b2Z0d2FyZTETMBEGA1UEAxMKVGhpbkNsaWVudDEkMCIGCSqGSIb3DQEJARYVci5h
> c2hva0BnZGF0ZWNoLmNvLmluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDH
> 4VtoQnSZTGz2pxewbBOixOyqrPq7xYDa617WtQs+dtONENLnfn3GCGSR9mLEJ732
> tXU8yRhn4Dl8RBS0jUXs97y59cdV9ml2gBUNhI/qRPCDmCnsJl2l0SFcen/aUZFv
> 4qeDki6wwk3vcnTxVJyl0OB3Vj6KyScbeHQSgIbP2wIDAQABo3sweTAJBgNVHRME
> AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
> ZTAdBgNVHQ4EFgQUUOwUqHyIG+tuswUOPbssl5/6dV8wHwYDVR0jBBgwFoAUoL6/
> qKtrYyeneP/GZ3GohLrjx6QwDQYJKoZIhvcNAQEFBQADgYEAt4Ve3QZs1+vpMjeu
> Yf02g9xGahdyd61WwpCa46Oc/4lver+thjmo5MTI5qalstoGXT6JIwI+YxZJA1d7
> G8fqcvte6wBoNb0aYOJYnBgEx0+mdVlz6n/KcpdF/O/vMnIRxA9lmYrdHl94P2qc
> oZ+iJg4NG7LG7h8QPY7Txg0qWtY=
> -----END CERTIFICATE-----
>
> ===================================================
> [r...@gda misc]# openssl x509 -text -in client_cert.pem
> ===================================================
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> c6:44:66:76:3a:ed:a0:1d
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: C=IN, ST=TamilNadu, O=GDATECH, OU=Software, CN=Thin
> Client/emailaddress=r.as...@gdatech.co.in
> Validity
> Not Before: Oct 28 06:39:06 2009 GMT
> Not After : Oct 28 06:39:06 2010 GMT
> Subject: C=IN, ST=TamilNadu, L=Chennai, O=GDATECH, OU=Software,
> CN=ThinClient/emailaddress=r.as...@gdatech.co.in
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:a5:e2:7a:e7:91:df:6b:e3:b5:61:fb:b4:d0:54:
> 7e:ed:b9:66:6d:56:ef:fd:62:04:6d:31:52:a0:28:
> b5:86:ca:b6:ba:e0:0b:89:72:17:e0:44:e0:ae:58:
> 91:39:5f:8b:ba:71:ff:6c:4a:b5:56:d5:6c:3e:97:
> 07:75:e3:2b:48:62:72:47:55:70:9c:53:11:a9:99:
> 5c:ad:19:54:03:c8:a0:c7:96:fb:71:a0:3e:2a:d3:
> 7d:4e:ec:97:cd:f5:47:78:d8:81:82:0b:a2:c4:4c:
> ff:41:ef:dc:00:ea:b5:53:dd:94:ae:d8:fc:24:ab:
> da:7d:a7:2e:bb:a4:d9:d3:67
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> B0:B1:61:E5:B9:FB:3D:41:C9:F6:F6:46:67:F7:07:56:52:25:2E:B8
> X509v3 Authority Key Identifier:
>
> keyid:A0:BE:BF:A8:AB:6B:63:27:A7:78:FF:C6:67:71:A8:84:BA:E3:C7:A4
>
> Signature Algorithm: sha1WithRSAEncryption
> 45:3d:fa:9a:9e:b8:cf:42:33:25:29:de:89:5e:8f:24:0d:95:
> 0d:a4:12:9d:dc:30:d8:18:d1:45:b1:ec:3b:e3:8a:ee:ad:5c:
> c2:c1:04:8a:4d:f9:52:98:59:80:ce:d4:ed:85:a3:d4:f3:d7:
> 87:cf:4a:8a:cc:77:b6:90:9d:fb:ef:48:25:35:6d:ee:59:da:
> e5:81:b3:72:b8:f4:84:de:64:0b:c5:fe:1d:dd:c8:7e:77:63:
> b0:a1:ba:c6:d7:ca:85:61:b7:43:7b:be:3c:0a:da:eb:02:33:
> 00:40:fa:be:6c:79:1d:b5:9a:e9:05:6c:7b:8a:42:55:e8:d3:
> 7f:01
> -----BEGIN CERTIFICATE-----
> MIIDEDCCAnmgAwIBAgIJAMZEZnY67aAdMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYD
> VQQGEwJJTjESMBAGA1UECBMJVGFtaWxOYWR1MRAwDgYDVQQKEwdHREFURUNIMREw
> DwYDVQQLEwhTb2Z0d2FyZTEUMBIGA1UEAxMLVGhpbiBDbGllbnQxJDAiBgkqhkiG
> 9w0BCQEWFXIuYXNob2tAZ2RhdGVjaC5jby5pbjAeFw0wOTEwMjgwNjM5MDZaFw0x
> MDEwMjgwNjM5MDZaMIGTMQswCQYDVQQGEwJJTjESMBAGA1UECBMJVGFtaWxOYWR1
> MRAwDgYDVQQHEwdDaGVubmFpMRAwDgYDVQQKEwdHREFURUNIMREwDwYDVQQLEwhT
> b2Z0d2FyZTETMBEGA1UEAxMKVGhpbkNsaWVudDEkMCIGCSqGSIb3DQEJARYVci5h
> c2hva0BnZGF0ZWNoLmNvLmluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl
> 4nrnkd9r47Vh+7TQVH7tuWZtVu/9YgRtMVKgKLWGyra64AuJchfgROCuWJE5X4u6
> cf9sSrVW1Ww+lwd14ytIYnJHVXCcUxGpmVytGVQDyKDHlvtxoD4q031O7JfN9Ud4
> 2IGCC6LETP9B79wA6rVT3ZSu2Pwkq9p9py67pNnTZwIDAQABo3sweTAJBgNVHRME
> AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
> ZTAdBgNVHQ4EFgQUsLFh5bn7PUHJ9vZGZ/cHVlIlLrgwHwYDVR0jBBgwFoAUoL6/
> qKtrYyeneP/GZ3GohLrjx6QwDQYJKoZIhvcNAQEFBQADgYEART36mp64z0IzJSne
> iV6PJA2VDaQSndww2BjRRbHsO+OK7q1cwsEEik35UphZgM7U7YWj1PPXh89Kisx3
> tpCd++9IJTVt7lna5YGzcrj0hN5kC8X+Hd3IfndjsKG6xtfKhWG3Q3u+PAra6wIz
> AED6vmx5HbWa6QVse4pCVejTfwE=
> -----END CERTIFICATE-----
>
> [r...@gda misc]# tree /etc/pki/
> /etc/pki/
> |-- CA
> | |-- cacert.pem
> | |-- careq.pem
> | |-- certs
> | |-- crl
> | |-- crlnumber
> | |-- index.txt
> | |-- index.txt.attr
> | |-- index.txt.attr.old
> | |-- index.txt.old
> | |-- newcerts
> | | |-- C64466763AEDA019.pem
> | | |-- C64466763AEDA01A.pem
> | | |-- C64466763AEDA01B.pem
> | | |-- C64466763AEDA01C.pem
> | | `-- C64466763AEDA01D.pem
> | |-- private
> | | `-- cakey.pem
> | |-- serial
> | `-- serial.old
> `-- tls
> |-- cert -> certs/ca-bundle.crt
> |-- cert.pem -> /etc/pki/CA/cacert.pem
> |-- certs
> | |-- Makefile
> | |-- ca-bundle.crt
> | `-- make-dummy-cert
> |-- misc
> | |-- CA
> | |-- CA.pl
> | |-- c_hash
> | |-- c_info
> | |-- c_issuer
> | |-- c_name
> | |-- cacert.p12
> | |-- certs
> | |-- client-cert.p12
> | |-- client_cert.pem
> | |-- client_key.pem
> | |-- client_req.pem
> | |-- server_cert.pem
> | |-- server_key.pem
> | `-- server_req.pem
> |-- openssl.cnf
> `-- private
>
> RADIUSD server log::
> ================
> [tls] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert read:fatal:unknown CA
> TLS_accept:failed in SSLv3 read client certificate A
> rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca
> SSL: SSL_read failed inside of TLS (-1), TLS session fails.
> TLS receive handshake failed during operation
> [tls] eaptls_process returned 4
> [eap] Handler failed in EAP/tls
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> ======================================================
> http://www.nabble.com/file/p26094597/radius_log.txt radius_log.txt
> --
> View this message in context:
> http://www.nabble.com/TLS-Alert-read%3Afatal%3Aunknown-CA-tp26094597p26094597.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-us...@openssl.org
> Automated List Manager majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
