> From: owner-openssl-us...@openssl.org On Behalf Of Tahir Mahmood > Sent: Wednesday, 01 June, 2011 11:48
> Actually I have install Cent OS5 and Freeradius 2.0.... > http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on- centos5-p3 > created certificates using above mentioned link. Creating certs is on page 1 of that article not page 3. It has several options and one step that aren't needed, but otherwise looks reasonable, although it distinguishes the CA and server/client certs only by emailAddress, and the server and client not at all; it would probably be better to make orgUnit and/or commonName different, ideally for all three for clarity. > I am trying to use 802.11x enterprise with iPhone. > I have created certificates and imported client_cert.p12 > and cacert.pem files to iPhone. > Here is the some part of the "radiusd -X" out put. > [tls] <<< TLS 1.0 Handshake [length 0598], Certificate > --> verify error:num=18:self signed certificate > [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca > TLS Alert write:fatal:unknown CA > TLS_accept:error in SSLv3 read client certificate B > rlm_eap: SSL error error:140890B2:SSL routines: > SSL3_GET_CLIENT_CERTIFICATE:no certificate returned > SSL: SSL_read failed in a system call (-1), TLS session fails. > TLS receive handshake failed during operation <snip rest, and attachment> This appears to be mixture of server and client side information. I don't know if Radius/radiusd does this itself, or you have both server and client logging to the same window or whatever. But it looks like the(?) client thinks the server's cert is selfsigned. Did you enter the same Distinguished Name for CA-cert and server-req (and maybe client-req)? If so, you get a server cert that appears selfsigned (even though by default it has AKI?) and thus might not chain to the CA cert even assuming you have imported the CA cert correctly. If so make the names different, as above. If that isn't it, I don't know what the iPhone client is like and if any better info can be obtained from it, or from any other tool(s) on iPhone. Do you have other (type of) Radius client(s) (that can be) configured to the same server? And succeed or not? At worst you could try connecting to the server with openssl s_client and immediately disconnecting without issuing any request(s), but only from machine(s) where openssl commandline is available. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
