EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01

Tue, 20 Nov 2012 04:43:35 -0800 


Hi All,
I'm using Freeradius server2.1.12 on x86 fedora14. My client is using (armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius server I am receiving the following errors. Do we require different certificates for arm boards, as I was able to run without any issues on x86 with same certificates. 

openssl version is 0.98g (on arm board)
openssl version is 1.0.0a-fips (on x86 free radius server 2.1.12)


/*ERROR:
-----------
*/
rad_recv: Access-Request packet from host 10.0.0.70 port 2050, id=8, length=166 
    User-Name = "testuser"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 0
    Called-Station-Id = "68-7F-74-64-0A-AA:linksys"
    Calling-Station-Id = "00-23-A7-3B-29-2C"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 0Mbps 802.11"
    EAP-Message = 0x020300060d00
    State = 0xba89e950b88ae454eff4b9964b6ca194
    Message-Authenticator = 0x3f69e77da835e1450b33224899e816b2
Tue Nov 20 16:48:05 2012 : Info: # Executing section authorize from file /usr/local/etc/raddb/radiusd.conf 
Tue Nov 20 16:48:05 2012 : Info: +- entering group authorize {...}
Tue Nov 20 16:48:05 2012 : Info: ++[preprocess] returns ok
Tue Nov 20 16:48:05 2012 : Info: ++[chap] returns noop
Tue Nov 20 16:48:05 2012 : Info: ++[mschap] returns noop
Tue Nov 20 16:48:05 2012 : Info: [suffix] No '@' in User-Name = "testuser", looking up realm NULL 
Tue Nov 20 16:48:05 2012 : Info: [suffix] No such realm "NULL"
Tue Nov 20 16:48:05 2012 : Info: ++[suffix] returns noop
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP packet type response id 3 length 6 Tue Nov 20 16:48:05 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation 
Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns updated
Tue Nov 20 16:48:05 2012 : Info: [files] users: Matched entry testuser at line 131 
Tue Nov 20 16:48:05 2012 : Info: ++[files] returns ok
Tue Nov 20 16:48:05 2012 : Info: Found Auth-Type = EAP
Tue Nov 20 16:48:05 2012 : Info: # Executing group from file /usr/local/etc/raddb/radiusd.conf 
Tue Nov 20 16:48:05 2012 : Info: +- entering group authenticate {...}
Tue Nov 20 16:48:05 2012 : Info: [eap] Request found, released from the list
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP/tls
Tue Nov 20 16:48:05 2012 : Info: [eap] processing type tls
Tue Nov 20 16:48:05 2012 : Info: [tls] Authenticate
Tue Nov 20 16:48:05 2012 : Info: [tls] processing EAP-TLS
Tue Nov 20 16:48:05 2012 : Info: [tls] Received TLS ACK
Tue Nov 20 16:48:05 2012 : Info: [tls] ACK handshake fragment handler
Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_verify returned 1
Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_process returned 13
Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns handled
Sending Access-Challenge of id 8 to 10.0.0.70 port 2050
EAP-Message = 0x0104020d0d80000005f9bd300c0603551d13040530030101ff301d0603551d0e04160414b3807b965fdd9f8fee8fca751d47bf2aebac11fd30818d0603551d230481853081828014b3807b965fdd9f8fee8fca751d47bf2aebac11fda15fa45d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613026161310a30080603550403130161820900958dbc5fc22a1e39300d06092a864886f70d010104050003818100a8e4f602c2235087e8a8e93f610ce12e5e3e6a54103b1dccc56529aab99cc32649af EAP-Message = 0x88b6fb15bdb71452ca8657933581fd72e30615d551ba01f76475e2809c53ca6c798138de31621f62e3644e3f847199de6a1a00ce71c631e200b4cf2747a9714a7bb778fec35669dd1c63102371576fc66ec5bbdf2c9f4fd956782216a10b16030100ad0d0000a502010200a0003f303d310b3009060355040613026161310a30080603550408130161310a3008060355040a130161310a3008060355040b130161310a30080603550403130161005d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613 
    EAP-Message = 0x026161310a300806035504031301610e000000
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xba89e950b98de454eff4b9964b6ca194
Tue Nov 20 16:48:05 2012 : Info: Finished request 8.
Tue Nov 20 16:48:05 2012 : Debug: Going to the next request
Tue Nov 20 16:48:05 2012 : Debug: Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 10.0.0.70 port 2050, id=9, length=1287 
    User-Name = "testuser"
    NAS-IP-Address = 127.0.0.1
    NAS-Port = 0
    Called-Station-Id = "68-7F-74-64-0A-AA:linksys"
    Calling-Station-Id = "00-23-A7-3B-29-2C"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x0204045f0d0016030103030b0002ff0002fc0002f9308202f53082025ea003020102020900958dbc5fc22a1e39300d06092a864886f70d0101040500305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613026161310a30080603550403130161301e170d3132313132303037323635345a170d3133313132303037323635345a305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161 EAP-Message = 0x310b3009060355040613026161310a3008060355040313016130819f300d06092a864886f70d010101050003818d0030818902818100c540ed9194e10dff976f8c5633f0a189b4fd92029fd865cb7d955134b15f837c2000b6a3637d3305d93c9bc78808b351d4639c51f4b4a4e10210fd9bb5b598af417e2eda12167a653844b7b84429ae3b60908553113a9c654ee2e4df1357c096e731713d5737f82a374c3ca853596e44504f907fea3920d343ca7904e7fef8190203010001a381c03081bd300c0603551d13040530030101ff301d0603551d0e04160414b3807b965fdd9f8fee8fca751d47bf2aebac11fd30818d0603551d2304818530818280 EAP-Message = 0x14b3807b965fdd9f8fee8fca751d47bf2aebac11fda15fa45d305b310a3008060355040a130161310a3008060355040b1301613110300e06092a864886f70d010901160161310a30080603550407130161310a30080603550408130161310b3009060355040613026161310a30080603550403130161820900958dbc5fc22a1e39300d06092a864886f70d010104050003818100a8e4f602c2235087e8a8e93f610ce12e5e3e6a54103b1dccc56529aab99cc32649af88b6fb15bdb71452ca8657933581fd72e30615d551ba01f76475e2809c53ca6c798138de31621f62e3644e3f847199de6a1a00ce71c631e200b4cf2747a9714a7bb778fec35669 EAP-Message = 0xdd1c63102371576fc66ec5bbdf2c9f4fd956782216a10b16030100861000008200808f6734075327889217defd03c1462e4298d446341f95825d3d31df536c87ed3aa4959c0e34841d5e733c27c4b106529a8c6dc2f0ae48b83d1c83c2bc57731bd41a0716eac597d5b6e7143ca8e7b1036c3d7d84463a80c575b3a37ad37053a389a8f30a94a395105a62b18ac8f263fbe48f8e050533c1f77fa8e2467c25a606e216030100860f00008200803d2ea04829dfd6dccbec15de9fdcae6f0fffb862e69a110d172eda2d8c69baaf4e4b9627f4c88abd8875e7d54b0eb8d66f597f290d1bf381c1ca0a2a7e8fb430a74fcaf0dae9b23537a41d1ab9bff2fb EAP-Message = 0x1849da1f7906027ca97729405b53eda8680767a719962059a67cd451dc8f1bd30d4cec89234ea9c408d13fb4c2c0c6bc1403010001011603010030b8b9b7a2f1fcb703eca33336508b26fa17344530ab8cc6f48edbf0210a6ddad56fcc0d9b9e7ebed01f532216f6dda1e7 
    State = 0xba89e950b98de454eff4b9964b6ca194
    Message-Authenticator = 0x07338a39dd069d06794136bf8f63b62f
Tue Nov 20 16:48:05 2012 : Info: # Executing section authorize from file /usr/local/etc/raddb/radiusd.conf 
Tue Nov 20 16:48:05 2012 : Info: +- entering group authorize {...}
Tue Nov 20 16:48:05 2012 : Info: ++[preprocess] returns ok
Tue Nov 20 16:48:05 2012 : Info: ++[chap] returns noop
Tue Nov 20 16:48:05 2012 : Info: ++[mschap] returns noop
Tue Nov 20 16:48:05 2012 : Info: [suffix] No '@' in User-Name = "testuser", looking up realm NULL 
Tue Nov 20 16:48:05 2012 : Info: [suffix] No such realm "NULL"
Tue Nov 20 16:48:05 2012 : Info: ++[suffix] returns noop
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP packet type response id 4 length 253 Tue Nov 20 16:48:05 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation 
Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns updated
Tue Nov 20 16:48:05 2012 : Info: [files] users: Matched entry testuser at line 131 
Tue Nov 20 16:48:05 2012 : Info: ++[files] returns ok
Tue Nov 20 16:48:05 2012 : Info: Found Auth-Type = EAP
Tue Nov 20 16:48:05 2012 : Info: # Executing group from file /usr/local/etc/raddb/radiusd.conf 
Tue Nov 20 16:48:05 2012 : Info: +- entering group authenticate {...}
Tue Nov 20 16:48:05 2012 : Info: [eap] Request found, released from the list
Tue Nov 20 16:48:05 2012 : Info: [eap] EAP/tls
Tue Nov 20 16:48:05 2012 : Info: [eap] processing type tls
Tue Nov 20 16:48:05 2012 : Info: [tls] Authenticate
Tue Nov 20 16:48:05 2012 : Info: [tls] processing EAP-TLS
Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_verify returned 7
Tue Nov 20 16:48:05 2012 : Info: [tls] Done initial handshake
Tue Nov 20 16:48:05 2012 : Info: [tls] <<< TLS 1.0 Handshake [length 0303], Certificate 
Tue Nov 20 16:48:05 2012 : Info: [tls] chain-depth=0,
Tue Nov 20 16:48:05 2012 : Info: [tls] error=0
Tue Nov 20 16:48:05 2012 : Info: [tls] --> User-Name = testuser
Tue Nov 20 16:48:05 2012 : Info: [tls] --> BUF-Name = a
Tue Nov 20 16:48:05 2012 : Info: [tls] --> subject = /O=a/OU=a/emailAddress=a/L=a/ST=a/C=aa/CN=a Tue Nov 20 16:48:05 2012 : Info: [tls] --> issuer = /O=a/OU=a/emailAddress=a/L=a/ST=a/C=aa/CN=a 
Tue Nov 20 16:48:05 2012 : Info: [tls] --> verify return:1
/*Tue Nov 20 16:48:05 2012 : Info: [tls] TLS_accept: SSLv3 read client certificate A Tue Nov 20 16:48:05 2012 : Info: [tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange Tue Nov 20 16:48:05 2012 : Info: [tls] TLS_accept: SSLv3 read client key exchange A Tue Nov 20 16:48:05 2012 : Info: [tls] <<< TLS 1.0 Handshake [length 0086], CertificateVerify Tue Nov 20 16:48:05 2012 : Info: [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error 
Tue Nov 20 16:48:05 2012 : Error: TLS Alert write:fatal:decrypt error
Tue Nov 20 16:48:05 2012 : Error: TLS_accept: failed in SSLv3 read certificate verify B Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 Tue Nov 20 16:48:05 2012 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails. Tue Nov 20 16:48:05 2012 : Debug: TLS receive handshake failed during operation 
*/Tue Nov 20 16:48:05 2012 : Info: [tls] eaptls_process returned 4
Tue Nov 20 16:48:05 2012 : Info: [eap] Handler failed in EAP/tls
Tue Nov 20 16:48:05 2012 : Info: [eap] Failed in EAP select
Tue Nov 20 16:48:05 2012 : Info: ++[eap] returns invalid
Tue Nov 20 16:48:05 2012 : Info: Failed to authenticate the user.
Tue Nov 20 16:48:05 2012 : Info: Delaying reject of request 9 for 1 seconds
Tue Nov 20 16:48:05 2012 : Debug: Going to the next request
Tue Nov 20 16:48:05 2012 : Debug: Waking up in 0.3 seconds.
Tue Nov 20 16:48:05 2012 : Info: Cleaning up request 4 ID 4 with timestamp +1948 
Tue Nov 20 16:48:05 2012 : Debug: Waking up in 0.6 seconds.
Tue Nov 20 16:48:06 2012 : Info: Sending delayed reject for request 9
Sending Access-Reject of id 9 to 10.0.0.70 port 2050
    EAP-Message = 0x04040004
    Message-Authenticator = 0x00000000000000000000000000000000
Tue Nov 20 16:48:06 2012 : Debug: Waking up in 3.7 seconds.
Tue Nov 20 16:48:10 2012 : Info: Cleaning up request 5 ID 5 with timestamp +1954 



I created certificates with the following commands:
--------------------------------------------------------------------

/* CA root */
*/openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config ./openssl.cnf 
/*
/* Certificates Request */
/*openssl req -new -nodes -out redpine-req.pem -keyout private/redpine-key.pem -days 365 -config ./openssl.cnf 
*/
/* Signing the certificates with ca root certificate generated in section CA root */ /*openssl ca -out redpine-cert.pem -days 365 -config ./openssl.cnf -infiles redpine-req.pem 
*/
/Concatenating all certificates:
*
cat redpine-key.pem redpine-cert.pem cacert.pem > imx53.pem


*/Thanks & Regards,
Swaraj
/*

*/






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to