'Re: EAP-TLS Authentication fails( TLS_accept: error in SSLv3 read client certificate B)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: EAP-TLS Authentication fails( TLS_accept: error in SSLv3 read client certificate B)
From:       Esma Yalcinkaya <esmayalcinkayaa () gmail ! com>
Date:       2013-11-27 18:11:36
Message-ID: CAKLJbWty=z=ysPv0zW0wU2OVLOfEU5CGkRaa3xAMq3c-ajGvuw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Thanks for your replies.
Not sure, maybe the problem is importing the client cert file via keytool.
Because I create the Radius Client in code and send authentication request.
I will look for how to set client cert file in my code.


Thanks & Regards,




On Wed, Nov 27, 2013 at 5:47 PM, John Dennis <jdennis@redhat.com> wrote:

> On 11/27/2013 10:15 AM, Esma Yalcinkaya wrote:
> > My application runs on glassfish server, so I import the cert files to
> > keystore. Also tried to import cert files to cacerts
> > directory(/java/jdk1.6.0_34/jre/lib/security/cacerts) but it did not
> work.
> >
> > I import the server.crt too, and try to authenticate now, but nothing
> > has changed.
> >
> > I am continuing to debug the logs(server logs, freeradius logs etc).
> >
> > Let me ask a question, I am new at freeradius. Although this error
> > occurs for SSLv3 read client certificate B, there is no error occurance
> > for certificate A like below.
> >
> > [tls]     TLS_accept: SSLv3 write certificate request A
> > [tls]     TLS_accept: SSLv3 flush data
> > [tls]     TLS_accept: Need to read more data: SSLv3 read client
> > certificate A
> >
> > I did not unterstand this log, what does it mean "need to read more
> data"?
>
> It means exactly what Alan said below. Its waiting for the peer to send
> a client certificate.
>
> TLS works by performing a number of exchanges in what is called
> "handshaking". The handshake exchanges negotiate the type of TLS
> connection which is going to be established. Certificate exchange is
> part of the handshake process. A server certificate is always sent to
> the client so the client can validate the server. This is known as
> server only validation, the server does not care who the client is. But
> TLS is also capable of mutual authentication where the client must
> authenticate to the server as well so the server knows who the client
> is. This is the basis of eap-tls, it's using the client TLS validation
> as an authentication of the client. During the TLS handshake the server
> will send a request to the client saying "please send me your
> certificate". That's what is happening here, the server has made a
> request for a client cert and now it's waiting to read that response
> from the client. If that response does not arrive then this is not a
> FreeRADIUS issue, it's a problem with your eap-tls client.
>
>
> >     >     TLS_accept: error in SSLv3 read client certificate B
> >     > rlm_eap: SSL error error:140890C7:SSL
> >     > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a
> certificate
> >
> >       The end user system isn't sending over a client certificate.
>
>
> --
> John
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

[Attachment #5 (text/html)]

<div dir="ltr">Thanks for your replies. <div>Not sure, maybe the problem is importing \
the client cert file via keytool. Because I create the Radius Client in code and send \
authentication request. I will look for how to set client cert file in my code.</div> \
<div><br></div><div><br></div><div>Thanks &amp; \
Regards,</div><div><br></div><div><br></div></div><div \
class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Nov 27, 2013 at 5:47 PM, \
John Dennis <span dir="ltr">&lt;<a href="mailto:jdennis@redhat.com" \
target="_blank">jdennis@redhat.com</a>&gt;</span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div class="im">On 11/27/2013 10:15 AM, Esma Yalcinkaya \
wrote:<br> &gt; My application runs on glassfish server, so I import the cert files \
to<br> &gt; keystore. Also tried to import cert files to cacerts<br>
&gt; directory(/java/jdk1.6.0_34/jre/lib/security/cacerts) but it did not work.<br>
&gt;<br>
&gt; I import the server.crt too, and try to authenticate now, but nothing<br>
&gt; has changed.<br>
&gt;<br>
&gt; I am continuing to debug the logs(server logs, freeradius logs etc).<br>
&gt;<br>
&gt; Let me ask a question, I am new at freeradius. Although this error<br>
&gt; occurs for SSLv3 read client certificate B, there is no error occurance<br>
&gt; for certificate A like below.<br>
&gt;<br>
&gt; [tls]     TLS_accept: SSLv3 write certificate request A<br>
&gt; [tls]     TLS_accept: SSLv3 flush data<br>
&gt; [tls]     TLS_accept: Need to read more data: SSLv3 read client<br>
&gt; certificate A<br>
&gt;<br>
&gt; I did not unterstand this log, what does it mean &quot;need to read more \
data&quot;?<br> <br>
</div>It means exactly what Alan said below. Its waiting for the peer to send<br>
a client certificate.<br>
<br>
TLS works by performing a number of exchanges in what is called<br>
&quot;handshaking&quot;. The handshake exchanges negotiate the type of TLS<br>
connection which is going to be established. Certificate exchange is<br>
part of the handshake process. A server certificate is always sent to<br>
the client so the client can validate the server. This is known as<br>
server only validation, the server does not care who the client is. But<br>
TLS is also capable of mutual authentication where the client must<br>
authenticate to the server as well so the server knows who the client<br>
is. This is the basis of eap-tls, it&#39;s using the client TLS validation<br>
as an authentication of the client. During the TLS handshake the server<br>
will send a request to the client saying &quot;please send me your<br>
certificate&quot;. That&#39;s what is happening here, the server has made a<br>
request for a client cert and now it&#39;s waiting to read that response<br>
from the client. If that response does not arrive then this is not a<br>
FreeRADIUS issue, it&#39;s a problem with your eap-tls client.<br>
<div class="im HOEnZb"><br>
<br>
&gt;     &gt;     TLS_accept: error in SSLv3 read client certificate B<br>
&gt;     &gt; rlm_eap: SSL error error:140890C7:SSL<br>
&gt;     &gt; routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a \
certificate<br> &gt;<br>
&gt;       The end user system isn&#39;t sending over a client certificate.<br>
<br>
<br>
</div><span class="HOEnZb"><font color="#888888">--<br>
John<br>
</font></span><div class="HOEnZb"><div class="h5">-<br>
List info/subscribe/unsubscribe? See <a \
href="http://www.freeradius.org/list/users.html" \
target="_blank">http://www.freeradius.org/list/users.html</a><br> \
</div></div></blockquote></div><br></div>



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic