Bug/security EAP-TLS

Tue, 24 Aug 2004 14:02:33 -0700 

I'm using the default config with the following changes in eap.conf:

default_eap_type = tls

and

the tls section excepted by check_crl and check_cert_cn out-commented.
So I'm using the test certificates.

EAP-Type: TLS
freeRADIUS version 1.0.0
Verified with Windows 2000/XP 802.1x Authentication Client

Generate a random certificate by hand with a other CA and be sure that the certificate 
size is bigger than the size of one fragment (see eap.conf or in debugging mode the 
MTU from the switch or ap).

The following will happen:

rad_recv: Access-Request
rlm_eap_tls: Requiring client certificate
Sending Access-Challenge
rad_recv: Access-Request
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 00b1], CertificateRequest
    TLS_accept: SSLv3 write certificate request A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
Sending Access-Challenge
rad_recv: Access-Request
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
rad_recv: Access-Request
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  eaptls_verify returned 3
  eaptls_process returned 3
Sending Access-Accept

This is indeed a cutted debug log, because this log was filled with some private 
information.


_____________________________________________________________
GRATIS LEUK EMAILADRES! http://www.apennootje.nl

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to