On 05/31/2011 03:02 PM, David Mitchell wrote: > > On May 31, 2011, at 2:32 PM, Dave Thompson wrote: > >>> From: owner-openssl-us...@openssl.org On Behalf Of David Mitchell >>> Sent: Friday, 27 May, 2011 12:35 >> >>> I'm having some problems with EAP-TLS in FreeRadius 2.1.10. I >>> have a client >>> where authentication attempts always fail with the relatively generic >>> error below. I've tried to figure out what it means with no >>> luck. A search >>> of the source shows that the error code (ultimately 1042) is >>> defined but >>> only used in one place, in ssl_err.c assigns the text version of the >>> error code. <snip> Can anybody point me to where in the code >>> this error gets generated? Thanks in advance. >>> >> ssl3_read_bytes sets error 1000+alertnum for received fatal alerts. >> alert 42 is "bad certificate" so error 1042 is "alert: bad certificate". >> >> The client is saying it doesn't like the cert the server is supplying. >> Since other clients are working, the (a?) cert is clearly good. >> >> See if the client has more-detailed information in a log or something, >> and/or check client configuration especially the CA cert(s) it trusts. >> If your server has multiple certs/keys for different algorithms, >> check if this client is preferring the same algorithms/ciphersuites >> as the (other) clients that work. > > Knowing that it is a client error and not a server error should help point us > in the right direction. So far the client logs have been mostly worthless. > That said, we have not been looking at possible trust issues with respect to > the server certificate being accepted as valid on the client. We will look > at that next. Thanks for your help.
The client did turn out to be rejecting the server's certificate due to an unknown CA. Thanks again for your help, -David Mitchell > > > ----------------------------------------------------------------- > | David Mitchell (mitch...@ucar.edu) Network Engineer IV | > | Tel: (303) 497-1845 National Center for | > | FAX: (303) 497-1818 Atmospheric Research | > ----------------------------------------------------------------- > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
