Thanks for the response and clarity. The upgraded cert itself did not increase in size, but the key increased. We are using " EAPTLS_MaxFragmentSize 1000" in our configurations. The indications that corruption is taking place somewhere along the path will need to be further investigated.
Although it appears that these errors are more indicative of client communication errors and not necessarily server or certificate issues, would it best to move to the latest version of Radiator?? I am sure this is already documentented somewhere, but I will ask in an effort to expediate an assumption, is Radiator multi-threaded or can support multi-threading? Respectfully Michael Hulko -----Original Message----- From: Heikki Vatiainen [mailto:[email protected]] Sent: Friday, September 02, 2011 5:12 AM To: Michael Hulko Cc: [email protected] Subject: Re: [RADIATOR] Unknown SSL errors On 09/02/2011 12:09 AM, Michael Hulko wrote: > We are currently running 2 Radiator servers ver4.5.1. > We have recently upgraded our certs to Thawte 2048 bit. > I have noticed an increase in the number of the these messages: > EAP TLS error: -1, 1, 8576, 9408: 1 - error:1408F10B:SSL > routines:SSL3_GET_RECORD:wrong version number Likely a corrupted packet. This comes from the SSL libraries Radiator uses. The library is telling it did not like SSL version when it did not find TLS1.0 or later but some corrupted values instead. > ERR: EAP PEAP TLS Handshake unsuccessful: 9408: 1 - error:1409442E:SSL > routines:SSL3_READ_BYTES:tlsv1 alert protocol version Alert comes from the client. The client probably received a corrupted packet. > ERR: EAP PEAP TLS read failed: 3888: 1 - error:1408F455:SSL > routines:SSL3_GET_RECORD:decryption failed or bad record Likely caused by a corrupted packet too. The corrupton was detected by TLS layer. > I am unsure of what these are indicative of. Are these client machine errors > or server process errors These look like corrupted messages. Maybe caused by a weak wireless reception where the client is just barely able to transmit and receive. Since you mentioned you had upgraded to a new cert, did the certificate size grow? This would mean there's more to transfer correctly during the authentication. You could also try this: EAPTLS_MaxFragmentSize 1000 This may help with devices that are unable to handle large messages. See the reference manual for more. Thanks! Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
