Re: suddenly problem with certificates / error in SSLv3 read client certificate B

Tue, 22 Jan 2013 13:55:03 -0800 

Am 22.01.2013, 22:19 Uhr, schrieb Alan DeKok <al...@deployingradius.com>:

Stephan Manske wrote:



to

Internal Program Version: OpenSSL  1.0.1c


  That might be the issue.  It's hard to say.  SSL is magic.


But I did this over three days before the errors occured. In the
meantime freeradius worked well.


  Maybe there's one client which *didn't* get login until after 3 days.



regrettably no. All my certificate clients are affected. And there is at  
least one, namely my android, which connects every day. And this one has  
no problems for 3 days after update, and now it has the problem.



So, here is a shorten output of radiusd -X (I hope I do not shorten
important things - btw, are there parts of such an debug output I should
keep secret?)


  Passwords, shared secrets.


What is about all this stuff:

EAP-Message = 0x010304000dc0000009b31603010031020000
State = 0x7d1f9f227f1c92c8e3xxxxxx

and so on?




[tls] --> verify return:1
--> verify error:num=7:certificate signature failure
[tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert write:fatal:decrypt error
    TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:04067084:rsa
routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus


  That's an SSL error.  It looks like the certificate being presented is
wrong, or the client has made a mistake in SSL.


Am I right when I suggest this certificate B is the CA certificate?


The certificate A has no problems (in the majority of cases I found via  
google cert A was the problem).



  I would suggest manually verifying the certificates using the
"openssl" command-line tool.  It may be that the signatures are broken.



any hint where I can found more to read about what I should test? Which  
parameters I have to use with openssl command?



 And the OpenSSL upgrade added code which checked for that, where the
older version of OpenSSL didn't check.



  For SSL issues, we're completely at the mercy of OpenSSL.  If it says
"bad certificate", then no amount of poking FreeRADIUS will make it
work.  You've just got to create good certificates.



And there is no way to tell freeradius to tell openssl to give more debug  
informations in this moment?


Ciao, Stephan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to