On May 31, 2011, at 2:32 PM, Dave Thompson wrote: >> From: owner-openssl-us...@openssl.org On Behalf Of David Mitchell >> Sent: Friday, 27 May, 2011 12:35 > >> I'm having some problems with EAP-TLS in FreeRadius 2.1.10. I >> have a client >> where authentication attempts always fail with the relatively generic >> error below. I've tried to figure out what it means with no >> luck. A search >> of the source shows that the error code (ultimately 1042) is >> defined but >> only used in one place, in ssl_err.c assigns the text version of the >> error code. <snip> Can anybody point me to where in the code >> this error gets generated? Thanks in advance. >> > ssl3_read_bytes sets error 1000+alertnum for received fatal alerts. > alert 42 is "bad certificate" so error 1042 is "alert: bad certificate". > > The client is saying it doesn't like the cert the server is supplying. > Since other clients are working, the (a?) cert is clearly good. > > See if the client has more-detailed information in a log or something, > and/or check client configuration especially the CA cert(s) it trusts. > If your server has multiple certs/keys for different algorithms, > check if this client is preferring the same algorithms/ciphersuites > as the (other) clients that work.
Knowing that it is a client error and not a server error should help point us in the right direction. So far the client logs have been mostly worthless. That said, we have not been looking at possible trust issues with respect to the server certificate being accepted as valid on the client. We will look at that next. Thanks for your help. ----------------------------------------------------------------- | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | ----------------------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
