Rafiqul Ahsan escribió:
Found a previous postings like this where Alan Dekok answered that
FreeRadius use SSL from openssl, and if SSL supports any advanced
algorithm FreeRadius should support it (I actually added a patch to
FreeRadius to make sure this supports all digests). I am currently
trying to find out whether I have linked the right openssl libraries
when building the FreeRadius. I am unable to find out whether
FreeRadius is being built with Solaris prebuilt openssl version 0.9.7d
at /usr/sfw, or my newly installed openssl version 0.9.8h at
/usr/local (with library /usr/local/ssl/lib). I have however few
questions , and I would appreciate your reply:
1. How to create CAcert.pem (root certs), server.pem (device certs),
and server_pvt_key.pem (private key file) for server, and same for
client to test TTLS, and TLS. It could be self signed.
2. Also how to create certs using different algorithm (sha1, sha2,
sha256 etc.) ?
I need to create certs to test EAP-TLS/TTLS using WiMAX AP.
Thanks, and appreciate your help.
On 8/12/08, Sergio <[EMAIL PROTECTED]> wrote:
Rafiqul Ahsan escribió:
I see an error like below when trying to use EAP_TLS/TTLS
authentication with Certs that has Signature Algorithm:
sha256WithRSAEncryption . Can anybody tell me why SSL does not like
the TLS session ?
I would appreciate your help. here is the radiusd -X log:
++[suffix] returns noop
rlm_eap: EAP packet type response id 142 length 13
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert read:fatal:decrypt error
TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert
decry
pt error
rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
eaptls_process returned 13
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> anonymous_identity
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 142 to 10.19.198.231 port 19801
Hi,
recently i tried to use certs with SHA-2 sign and got the same error.
Probaly freeradius doesn't support (also) this size of sign. You can ask
about this into freeradius mailing list. Try to put a cert with SHA-1
algorithm and you will see it working.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
I'm not an expert but, not all SSL functions are used by freeradius, por
example ocsp functions. You can see raddb/certs/Makefile and
raddb/certs/README to follow the commands which creates test
certificates. Surely with another openssl options you can use several
algorithms but, there is one important point with test certs that
freeradius generates. Client certificates are signed by server private
key, so you should put the correct permissions into your openssl
configuration for server certs creation or sign client cert with ca
private key. I taken the second decision because it's more clear for me,
and because the functionality is EXACTLY the same. For the other side, i
don't know anything about WiMAX, but i suposse that credentials are the
same. Hope this helps
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
