On 3.6.2020 15.44, Eric W. Bates wrote:
We use certificates signed by InCommon and over the weekend several
older intermediate certificates expired; so I updated the chain file.
Now I'm getting:
Tue Jun 2 22:21:17 2020 630517: DEBUG: EAP result: 1, EAP TTLS
Handshake unsuccessful: 2861: 1 - error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
so from "unknown ca" I have to assume I screwed up the chain.
It also could be that client profile does not trust the new root CA or
it's not present in client's CA certificate storage.
Is there a way similar to "openssl s_client" to pull the certificate
chain from Radiator? I just want to confirm what cert chain is being
offered.
Wireshark could also work here. If you capture RADIUS with TLS backed
EAP, such as PEAP, wireshark can reconstruct TLS handshake from the capture.
Edit: just noticed that you're looking at rad_eap_test. Please let us
know how it goes.
Thanks,
Heikki
--
Heikki Vatiainen <[email protected]>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
