Re: definitively, I have a problem with eap-tls

Wed, 23 Jul 2008 07:51:00 -0700 

Sergio escribió:

HI,
continuing with Reveal MAP problem with unknown ca's under eap-tls
using default configuration....

private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem

freeradius tell me this:

rlm_eap_tls: <<< TLS 1.0 Handshake [length 0bdb], Certificate
--> verify error:num=24:invalid CA certificate
  rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA

well, it isn't a problem:

cp server.pem root.pem
cat ca.pem >> root.pem
then I change CA_file = ${cadir}/root.pem

......and.....eureka!!!! authentication succesfully ....but

now there is a problem to check the CRL because root.pem then, something
is wrong before making root.pem.

....well, just tell freeradius how to find certificates....

c_rehash /usr/local/etc/raddb/certs also doesn't works
I think Reveal had the same problem and I have read about this on
mailing list but nothing.

Also I've tried to install ca.pem on /etc/ssl/certs using "ln -s". Has
somebody encountered problems with this apart from Reveal MAP and me?

P.D. route certification into windows isn't a problem, only tell
xp_supplicant who is root authority (It was logical)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



Also me, sergio

restarting:

private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem

portatil:/usr/local/etc/raddb/certs# ln -s server.pem $(openssl x509
-hash -noout -in server.pem).0
portatil:/usr/local/etc/raddb/certs# ln -s ca.pem $(openssl x509 -hash
-noout -in ca.pem).0


portatil:/usr/local/etc/raddb/certs# ls -l|grep lrw
lrwxrwxrwx 1 root    root       6 2008-07-23 02:47 16593b28.0 -> ca.pem
lrwxrwxrwx 1 root    root      10 2008-07-23 02:49 7d18a7eb.0 ->
server.pem

portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . server.pem
server.pem: OK

portatil:/usr/local/etc/raddb/certs# openssl verify -CApath . client.crt
client.crt: OK

and then, the user is rejected. The other configuration files are ok,
also wpa_supplicant. look at this Reveal, be brave jejeje.
am I forgetting something?
I have two other eap modules working ok with a diferent authority than
the server's and I'm really intrigue about this. somebody joins? jeje

regards :)


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to