Re: [RADIATOR] Unknown SSL errors

2011-09-02 Thread Michael Hulko 
Thanks for the response and clarity.  The upgraded cert itself did not increase 
in size, but the key increased. We are using " EAPTLS_MaxFragmentSize 1000" in 
our configurations.  The indications that corruption is taking place somewhere 
along the path will need to be further investigated.

Although it appears that these errors are more indicative of client 
communication errors and not necessarily server or certificate issues, would it 
best to move to the latest version of Radiator??  I am sure this is already 
documentented somewhere, but I will ask in an effort to expediate an 
assumption, is Radiator multi-threaded or can support multi-threading?

Respectfully

Michael Hulko



-Original Message-
From: Heikki Vatiainen [mailto:h...@open.com.au] 
Sent: Friday, September 02, 2011 5:12 AM
To: Michael Hulko
Cc: radiator@open.com.au
Subject: Re: [RADIATOR] Unknown SSL errors

On 09/02/2011 12:09 AM, Michael Hulko wrote:
> We are currently running 2 Radiator servers ver4.5.1.

> We have recently upgraded our certs to Thawte 2048 bit. 

> I have noticed an increase in the number of the these messages:

> EAP TLS error: -1, 1, 8576,  9408: 1 - error:1408F10B:SSL 
> routines:SSL3_GET_RECORD:wrong version number

Likely a corrupted packet. This comes from the SSL libraries Radiator
uses. The library is telling it did not like SSL version when it did not
find TLS1.0 or later but some corrupted values instead.

> ERR: EAP PEAP TLS Handshake unsuccessful:  9408: 1 - error:1409442E:SSL 
> routines:SSL3_READ_BYTES:tlsv1 alert protocol version

Alert comes from the client. The client probably received a corrupted
packet.

> ERR: EAP PEAP TLS read failed: 3888: 1 - error:1408F455:SSL 
> routines:SSL3_GET_RECORD:decryption failed or bad record

Likely caused by a corrupted packet too. The corrupton was detected by
TLS layer.

> I am unsure of what these are indicative of.  Are these client machine errors 
> or server process errors

These look like corrupted messages. Maybe caused by a weak wireless
reception where the client is just barely able to transmit and receive.

Since you mentioned you had upgraded to a new cert, did the certificate
size grow? This would mean there's more to transfer correctly during the
authentication.

You could also try this:

EAPTLS_MaxFragmentSize 1000

This may help with devices that are unable to handle large messages. See
the reference manual for more.

Thanks!
Heikki


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Unknown SSL errors

2011-09-02 Thread Heikki Vatiainen 
On 09/02/2011 12:09 AM, Michael Hulko wrote:
> We are currently running 2 Radiator servers ver4.5.1.

> We have recently upgraded our certs to Thawte 2048 bit. 

> I have noticed an increase in the number of the these messages:

> EAP TLS error: -1, 1, 8576,  9408: 1 - error:1408F10B:SSL 
> routines:SSL3_GET_RECORD:wrong version number

Likely a corrupted packet. This comes from the SSL libraries Radiator
uses. The library is telling it did not like SSL version when it did not
find TLS1.0 or later but some corrupted values instead.

> ERR: EAP PEAP TLS Handshake unsuccessful:  9408: 1 - error:1409442E:SSL 
> routines:SSL3_READ_BYTES:tlsv1 alert protocol version

Alert comes from the client. The client probably received a corrupted
packet.

> ERR: EAP PEAP TLS read failed: 3888: 1 - error:1408F455:SSL 
> routines:SSL3_GET_RECORD:decryption failed or bad record

Likely caused by a corrupted packet too. The corrupton was detected by
TLS layer.

> I am unsure of what these are indicative of.  Are these client machine errors 
> or server process errors

These look like corrupted messages. Maybe caused by a weak wireless
reception where the client is just barely able to transmit and receive.

Since you mentioned you had upgraded to a new cert, did the certificate
size grow? This would mean there's more to transfer correctly during the
authentication.

You could also try this:

EAPTLS_MaxFragmentSize 1000

This may help with devices that are unable to handle large messages. See
the reference manual for more.

Thanks!
Heikki


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator