Hi, I am a newbie to Freeradius and I am having a real hard time to implement EAP-TLS using self-signed certificate.
My certificate seems valid: Server Certificate [root@localhost CA]# openssl verify -CAfile /etc/pki/CA/cacert.pem xplab.pem xplab.pem: OK Client certificate [root@localhost CA]# openssl verify -CAfile /etc/pki/CA/cacert.pem bob.pem bob.pem: OK When I run [root@localhost CA]# eapol_test -c /opt/EAP-RADIUS/eap-tls.conf -s testing123, I have the following results: EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): cf cd 8c f0 17 49 11 13 d6 7d fe cb b1 65 00 1d 85 c2 ef a5 33 35 78 00 b8 a1 0a 9d 02 4b 06 45 EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 1 mismatch: 0 SUCCESS using the following eap-tls.conf # eapol_test -c eap-tls.conf -s testing123 # network={ key_mgmt=IEEE8021X eap=TLS eapol_flags=0 eap_workaround=0 identity="bob" ca_cert="/etc/pki/CA/cacert.pem" client_cert="/etc/pki/CA/bob.der" private_key="/etc/pki/CA/bob.key" private_key_passwd="abc123" # # Uncomment the following to perform server certificate validation. ca_cert="/etc/pki/CA/cacert.pem" } My problem is the following error message when running eapol_test TLS: Trusted root certificate(s) loaded OpenSSL: SSL_use_certificate_file (DER) --> OK OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK SSL: Private key loaded successfully CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected I would like to know if this means that my certificates are not valid even if the eapol_test seems successful. I was not able to find any information on the meaning of these messages. These messages are similar to what I have when I run the wpa_supplicant from my client machine. Since I am not able to authenticate from wpa_supplicant (failed to private key), I think that it might be possible that the certificate are wrong. wpa_supplicant.conf ap_scan=0 network={ key_mgmt=WPA-EAP eap=TLS identity="bob" ca_cert="/etc/ssl/demoCA/cacert.pem" client_cert="/etc/ssl/demoCA/certs/bob.pem" private_key="/etc/ssl/demoCA/private/bob.key" private_key_passwd="abc123" eapol_flags=0 } wpa_supplicant -c /etc/wpa_supplicant.conf -D wired -i br0 CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib OpenSSL: pending error: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error OpenSSL: pending error: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error OpenSSL: pending error: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib OpenSSL: pending error: error:140CB009:SSL routines:SSL_use_PrivateKey_file:PEM lib OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: Failed to load private key Thanks for your help Stephane
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html