Thanks, I will try to figure out as you suggested.
Rafi
On 8/13/08, Sergio <[EMAIL PROTECTED]> wrote:
> Rafiqul Ahsan escribió:
>
> > Found a previous postings like this where Alan Dekok answered that
> > FreeRadius use SSL from openssl, and if SSL supports any advanced
> > algorithm FreeRadius should support it (I actually added a patch to
> > FreeRadius to make sure this supports all digests). I am currently
> > trying to find out whether I have linked the right openssl libraries
> > when building the FreeRadius. I am unable to find out whether
> > FreeRadius is being built with Solaris prebuilt openssl version 0.9.7d
> > at /usr/sfw, or my newly installed openssl version 0.9.8h at
> > /usr/local (with library /usr/local/ssl/lib). I have however few
> > questions , and I would appreciate your reply:
> >
> > 1. How to create CAcert.pem (root certs), server.pem (device certs),
> > and server_pvt_key.pem (private key file) for server, and same for
> > client to test TTLS, and TLS. It could be self signed.
> > 2. Also how to create certs using different algorithm (sha1, sha2,
> > sha256 etc.) ?
> >
> > I need to create certs to test EAP-TLS/TTLS using WiMAX AP.
> >
> > Thanks, and appreciate your help.
> >
> > On 8/12/08, Sergio <[EMAIL PROTECTED]> wrote:
> >
> >
> > > Rafiqul Ahsan escribió:
> > >
> > >
> > >
> > > > I see an error like below when trying to use EAP_TLS/TTLS
> > > > authentication with Certs that has Signature Algorithm:
> > > > sha256WithRSAEncryption . Can anybody tell me why SSL does not like
> > > > the TLS session ?
> > > >
> > > > I would appreciate your help. here is the radiusd -X log:
> > > >
> > > > ++[suffix] returns noop
> > > > rlm_eap: EAP packet type response id 142 length 13
> > > > rlm_eap: Continuing tunnel setup.
> > > > ++[eap] returns ok
> > > > rad_check_password: Found Auth-Type EAP
> > > > auth: type "EAP"
> > > > +- entering group authenticate
> > > > rlm_eap: Request found, released from the list
> > > > rlm_eap: EAP/ttls
> > > > rlm_eap: processing type ttls
> > > > rlm_eap_ttls: Authenticate
> > > > rlm_eap_tls: processing TLS
> > > > eaptls_verify returned 7
> > > > rlm_eap_tls: Done initial handshake
> > > > rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal decrypt_error
> > > > TLS Alert read:fatal:decrypt error
> > > > TLS_accept:failed in SSLv3 read client certificate A
> > > > rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1
> alert
> > > >
> > > >
> > > decry
> > >
> > >
> > > > pt error
> > > > rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
> > > > eaptls_process returned 13
> > > > rlm_eap: Freeing handler
> > > > ++[eap] returns reject
> > > > auth: Failed to validate the user.
> > > > Found Post-Auth-Type Reject
> > > > +- entering group REJECT
> > > > expand: %{User-Name} -> anonymous_identity
> > > > attr_filter: Matched entry DEFAULT at line 11
> > > > ++[attr_filter.access_reject] returns updated
> > > > Sending Access-Reject of id 142 to 10.19.198.231 port 19801
> > > >
> > > >
> > > >
> > > >
> > > >
> > > Hi,
> > > recently i tried to use certs with SHA-2 sign and got the same error.
> > > Probaly freeradius doesn't support (also) this size of sign. You can ask
> > > about this into freeradius mailing list. Try to put a cert with SHA-1
> > > algorithm and you will see it working.
> > >
> ______________________________________________________________________
> > > OpenSSL Project http://www.openssl.org
> > > User Support Mailing List openssl-users@openssl.org
> > > Automated List Manager [EMAIL PROTECTED]
> > >
> > >
> > >
> >
> >
> >
> I'm not an expert but, not all SSL functions are used by freeradius, por
> example ocsp functions. You can see raddb/certs/Makefile and
> raddb/certs/README to follow the commands which creates test certificates.
> Surely with another openssl options you can use several algorithms but,
> there is one important point with test certs that freeradius generates.
> Client certificates are signed by server private key, so you should put the
> correct permissions into your openssl configuration for server certs
> creation or sign client cert with ca private key. I taken the second
> decision because it's more clear for me, and because the functionality is
> EXACTLY the same. For the other side, i don't know anything about WiMAX, but
> i suposse that credentials are the same. Hope this helps
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
--
Rafiqul Ahsan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
