EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01

2012-11-21 Thread Swaraj 

I'm using Freeradius server2.1.12 on x86 fedora14. My client is using
(armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius
server I am receiving the following errors.

   The client is broken.  It's not doing SSL correctly.


Do we require different certificates for arm boards, as I was able to
run without any issues on x86 with same certificates.

   Because it has different software.

May I know, what is that different software?


Tue Nov 20 16:48:05 2012 : Error: TLS Alert write:fatal:decrypt error
Tue Nov 20 16:48:05 2012 : Error: TLS_accept: failed in SSLv3 read
certificate verify B
Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01

   You CANNOT fix this by poking FreeRADIUS.


I created certificates with the following commands:

   This is NOT a certificate issue.  Notice that the error is NOT
complaining about certificates.

   And why use your own commands to create certs?  The scripts in
raddb/certs WORK.

   Alan DeKok.



Regards,
Swaraj
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01

2012-11-20 Thread Swaraj 


Hi All,

I'm using Freeradius server2.1.12 on x86 fedora14. My client is using 
(armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius 
server I am receiving the following errors.
Do we require different certificates for arm boards, as I was able to 
run without any issues on x86 with same certificates.


openssl version is 0.98g (on arm board)
openssl version is 1.0.0a-fips (on x86 free radius server 2.1.12)


/*ERROR:
---
*/
rad_recv: Access-Request packet from host 10.0.0.70 port 2050, id=8, 
length=166

User-Name = testuser
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Called-Station-Id = 68-7F-74-64-0A-AA:linksys
Calling-Station-Id = 00-23-A7-3B-29-2C
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message = 0x020300060d00
State = 0xba89e950b88ae454eff4b9964b6ca194
Message-Authenticator = 0x3f69e77da835e1450b33224899e816b2
Tue Nov 20 16:48:05 2012 : Info: # Executing section authorize from file 
/usr/local/etc/raddb/radiusd.conf

Tue Nov 20 16:48:05 2012 : Info: +- entering group authorize {...}
Tue Nov 20 16:48:05 2012 : Info: ++[preprocess] returns ok
Tue Nov 20 16:48:05 2012 : Info: ++[chap] returns noop
Tue Nov 20 16:48:05 2012 : Info: ++[mschap] returns noop
Tue Nov 20 16:48:05 2012 : Info: [suffix] No '@' in User-Name = 
testuser, looking up realm NULL

Tue Nov 20 16:48:05 2012 : Info: [suffix] No such realm NULL
Tue Nov 20 16:48:05 2012 : Info: ++[suffix] returns noop
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP packet type response id 3 
length 6
Tue Nov 20 16:48:05 2012 : Info: [eap] No EAP Start, assuming it's an 
on-going EAP conversation

Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns updated
Tue Nov 20 16:48:05 2012 : Info: [files] users: Matched entry testuser 
at line 131

Tue Nov 20 16:48:05 2012 : Info: ++[files] returns ok
Tue Nov 20 16:48:05 2012 : Info: Found Auth-Type = EAP
Tue Nov 20 16:48:05 2012 : Info: # Executing group from file 
/usr/local/etc/raddb/radiusd.conf

Tue Nov 20 16:48:05 2012 : Info: +- entering group authenticate {...}
Tue Nov 20 16:48:05 2012 : Info: [eap] Request found, released from the list
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP/tls
Tue Nov 20 16:48:05 2012 : Info: [eap] processing type tls
Tue Nov 20 16:48:05 2012 : Info: [tls] Authenticate
Tue Nov 20 16:48:05 2012 : Info: [tls] processing EAP-TLS
Tue Nov 20 16:48:05 2012 : Info: [tls] Received TLS ACK
Tue Nov 20 16:48:05 2012 : Info: [tls] ACK handshake fragment handler
Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_verify returned 1
Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_process returned 13
Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns handled
Sending Access-Challenge of id 8 to 10.0.0.70 port 2050
EAP-Message = 
0x0104020d0d8005f9bd300c0603551d13040530030101ff301d0603551d0e04160414b3807b965fdd9f8fee8fca751d47bf2aebac11fd30818d0603551d230481853081828014b3807b965fdd9f8fee8fca751d47bf2aebac11fda15fa45d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613026161310a30080603550403130161820900958dbc5fc22a1e39300d06092a864886f70d010104050003818100a8e4f602c2235087e8a8e93f610ce12e5e3e6a54103b1dccc56529aab99cc32649af
EAP-Message = 
0x88b6fb15bdb71452ca8657933581fd72e30615d551ba01f76475e2809c53ca6c798138de31621f62e3644e3f847199de6a1a00ce71c631e200b4cf2747a9714a7bb778fec35669dd1c63102371576fc66ec5bbdf2c9f4fd956782216a10b16030100ad0da502010200a0003f303d310b3009060355040613026161310a30080603550408130161310a3008060355040a130161310a3008060355040b130161310a30080603550403130161005d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613

EAP-Message = 0x026161310a300806035504031301610e00
Message-Authenticator = 0x
State = 0xba89e950b98de454eff4b9964b6ca194
Tue Nov 20 16:48:05 2012 : Info: Finished request 8.
Tue Nov 20 16:48:05 2012 : Debug: Going to the next request
Tue Nov 20 16:48:05 2012 : Debug: Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 10.0.0.70 port 2050, id=9, 
length=1287

User-Name = testuser
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Called-Station-Id = 68-7F-74-64-0A-AA:linksys
Calling-Station-Id = 00-23-A7-3B-29-2C
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 0Mbps 802.11
EAP-Message =

Re: EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01

2012-11-20 Thread Alan DeKok 
Swaraj wrote:
 I'm using Freeradius server2.1.12 on x86 fedora14. My client is using
 (armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius
 server I am receiving the following errors.

  The client is broken.  It's not doing SSL correctly.

 Do we require different certificates for arm boards, as I was able to
 run without any issues on x86 with same certificates.

  Because it has different software.
 Tue Nov 20 16:48:05 2012 : Error: TLS Alert write:fatal:decrypt error
 Tue Nov 20 16:48:05 2012 : Error: TLS_accept: failed in SSLv3 read
 certificate verify B
 Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa
 routines:RSA_padding_check_PKCS1_type_1:block type is not 01

  You CANNOT fix this by poking FreeRADIUS.

 I created certificates with the following commands:

  This is NOT a certificate issue.  Notice that the error is NOT
complaining about certificates.

  And why use your own commands to create certs?  The scripts in
raddb/certs WORK.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01

2012-11-20 Thread Phil Mayers 

On 20/11/12 13:26, Alan DeKok wrote:

Swaraj wrote:

I'm using Freeradius server2.1.12 on x86 fedora14. My client is using
(armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius
server I am receiving the following errors.


   The client is broken.  It's not doing SSL correctly.


Oops yes ignore my email; I thought the *server* was running on the IMX.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01

2012-11-20 Thread Phil Mayers 

On 20/11/12 12:38, Swaraj wrote:


Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01


That's very odd. It looks like a problem with OpenSSL - maybe 
endian-ness or something?





I created certificates with the following commands:


Did you create them *on* the ARM device? Can you verify them with 
openssl verify *on* the ARM device?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html