Certificate chain untrusted #5273
Labels
close
state: auto close the issue
Comments
|
As the github issue template tells you, configuration questions belong on the freeradius-users mailing list. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Message
Hi,
I'm having an issue with FreeRADIUS 3.2.3 and the EAP module.
It doesn't take into account my private PKI.
I have to set the reject_unknown_intermediate_ca parameter to no for EAP-TLS authentication to work.
I have no issues with FreeRADIUS 3.0.x
My server is running RHEL 8 and my OpenSSL version is 1.1.1K
mods-enabled/eap
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
md5 {
}
gtc {
auth_type = PAP
}
tls-config tls-common {
private_key_file = ${certdir}/server.key
certificate_file = ${certdir}/server.pem
ca_file = ${cadir}/chain.pem
ca_path = ${cadir}
reject_unknown_intermediate_ca = no
cipher_list = "DEFAULT"
cipher_server_preference = no
tls_min_version = "1.2"
tls_max_version = "1.2"
ecdh_curve = ""
cache {
enable = no
store {
Tunnel-Private-Group-Id
}
}
verify {
}
ocsp {
enable = yes
override_cert_url = no
url = "http://127.0.0.1/ocsp/"
}
}
tls {
tls = tls-common
}
ttls {
tls = tls-common
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
tls = tls-common
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
ls -l certs
total 32
lrwxrwxrwx. 1 root root 17 Jan 23 12:17 3377b39c.0 -> subca.pem
lrwxrwxrwx. 1 root root 18 Jan 23 12:17 72f73b82.0 -> rootca.pem
-rw-r-----. 1 root radiusd 4111 Jan 23 10:16 chain.pem
-rw-r-----. 1 root radiusd 1818 Jan 23 10:17 rootca.pem
-rw-r-----. 1 root radiusd 2293 Jan 23 10:17 subca.pem
-rw-r-----. 1 root radiusd 1704 Jan 23 10:18 server.key
-rw-r-----. 1 root radiusd 8567 Jan 23 10:18 server.pem
debug (if reject_unknown_intermediate_ca = yes)
[...]
Certificate chain - 1 cert(s) untrusted
(TLS) untrusted certificate with depth [1] subject name /CN=SubCA
(TLS) untrusted certificate with depth [0] subject name /CN=device
tls: There are untrusted certificates in the certificate chain. Rejecting.
(10) eap_tls: (TLS) send TLS 1.2 Alert, fatal internal_error
(10) eap_tls: ERROR: (TLS) Alert write:fatal:internal error
(10) eap_tls: ERROR: (TLS) Server : Error in error
(10) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
(10) eap_tls: ERROR: (TLS) System call (I/O) error (-1)
(10) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation
(10) eap_tls: ERROR: [eaptls process] = fail
(10) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
(10) eap: Sending EAP Failure (code 4) ID 26 length 4
(10) eap: Failed in EAP select
(10) [eap] = invalid
(10) } # authenticate = invalid
(10) Failed to authenticate the user
(10) Using Post-Auth-Type Reject
[...]
The text was updated successfully, but these errors were encountered: