Rafiqul Ahsan escribió:
I see an error like below when trying to use EAP_TLS/TTLS
authentication with Certs that has Signature Algorithm:
sha256WithRSAEncryption . Can anybody tell me why SSL does not like
the TLS session ?
I would appreciate your help. here is the radiusd -X log:
++[suffix] returns noop
rlm_eap: EAP packet type response id 142 length 13
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert read:fatal:decrypt error
TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decry
pt error
rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
eaptls_process returned 13
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> anonymous_identity
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 142 to 10.19.198.231 port 19801
Hi,
recently i tried to use certs with SHA-2 sign and got the same error.
Probaly freeradius doesn't support (also) this size of sign. You can ask
about this into freeradius mailing list. Try to put a cert with SHA-1
algorithm and you will see it working.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
