Discussion:
Failed in SSLv3 read client certificate A
Michael Martinez
2016-06-02 14:45:45 UTC
Permalink
Trying to use EAP-TLS to authenticate an iPad on radius going through
a wireless access point that is controlled by a Lan controller Cisco
2504.
Seeing the following in the radius logs:

(48) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A
(48) eap_tls: ERROR: SSL says: error:140940E5:SSL
routines:ssl3_read_bytes:ssl handshake failure
(48) eap_tls: ERROR: SSL_read failed in a system call (-1), TLS session failed
(48) eap_tls: ERROR: TLS receive handshake failed during operation

My questions:

#1) I'm hoping someone may have experienced this before and knows
exactly how to fix it. "Oh yeah, you need to do blah on the iPad" or
"Oh you need to trust the CA on the lan controller" or whatever

#2) Is there a way to get more information from radius? It's unclear
whether Radius (a) received the client certificate but does not
understand it, or (b) did not receive the client certificate at all
--
---
Michael Martinez
http://www.michael--martinez.com
-
List info/subscribe/unsubscribe? See http:/
Michael Martinez
2016-06-03 15:50:10 UTC
Permalink
Anyone have any thoughts on this, please?
Post by Michael Martinez
Trying to use EAP-TLS to authenticate an iPad on radius going through
a wireless access point that is controlled by a Lan controller Cisco
2504.
(48) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A
(48) eap_tls: ERROR: SSL says: error:140940E5:SSL
routines:ssl3_read_bytes:ssl handshake failure
(48) eap_tls: ERROR: SSL_read failed in a system call (-1), TLS session failed
(48) eap_tls: ERROR: TLS receive handshake failed during operation
#1) I'm hoping someone may have experienced this before and knows
exactly how to fix it. "Oh yeah, you need to do blah on the iPad" or
"Oh you need to trust the CA on the lan controller" or whatever
#2) Is there a way to get more information from radius? It's unclear
whether Radius (a) received the client certificate but does not
understand it, or (b) did not receive the client certificate at all
--
---
Michael Martinez
http://www.michael--martinez.com
--
---
Michael Martinez
http://www.michael--martinez.com
-
List info/subscribe/unsubscribe? See http://www.
Stefan Paetow
2016-06-06 13:31:45 UTC
Permalink
Post by Michael Martinez
(48) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A
(48) eap_tls: ERROR: SSL says: error:140940E5:SSL
routines:ssl3_read_bytes:ssl handshake failure
(48) eap_tls: ERROR: SSL_read failed in a system call (-1), TLS session failed
(48) eap_tls: ERROR: TLS receive handshake failed during operation
Does the iPad have the CA certificate installed? Does it have the *correct* CA certificate installed? If there are intermediates, is the whole *chain* installed?
Post by Michael Martinez
#2) Is there a way to get more information from radius? It's unclear
whether Radius (a) received the client certificate but does not
understand it, or (b) did not receive the client certificate at all
As per the above link, chances are that the iPad didn't understand the cert, didn't like it, or something else is wrong with it, and subsequently said "Thanks but no thanks."

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: ***@jabber.dev.ja.net
skype: stefan.paetow.janet

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Michael Martinez
2016-06-14 21:32:22 UTC
Permalink
Post by Stefan Paetow
Does the iPad have the CA certificate installed? Does it have the *correct* CA certificate installed? If there are intermediates, is the whole *chain* installed?
Yes, we just double-checked this. Still getting the same error. Here's
a little more info from farther up in the logs. As you can see, it
seems to do everything correctly up to the point where it requests the
client certificate A:

(299) eap: Calling submodule eap_tls to process data
(299) eap_tls: Continuing EAP-TLS
(299) eap_tls: Peer indicated complete TLS record size will be 142 bytes
(299) eap_tls: Got complete TLS record (142 bytes)
(299) eap_tls: [eaptls verify] = length included
(299) eap_tls: (other): before/accept initialization
(299) eap_tls: TLS_accept: before/accept initialization
(299) eap_tls: <<< recv TLS 1.0 Handshake [length 0089], ClientHello
(299) eap_tls: TLS_accept: SSLv3 read client hello A
(299) eap_tls: >>> send TLS 1.0 Handshake [length 0059], ServerHello
(299) eap_tls: TLS_accept: SSLv3 write server hello A
(299) eap_tls: >>> send TLS 1.0 Handshake [length 08cd], Certificate
(299) eap_tls: TLS_accept: SSLv3 write certificate A
(299) eap_tls: >>> send TLS 1.0 Handshake [length 014b], ServerKeyExchange
(299) eap_tls: TLS_accept: SSLv3 write key exchange A
(299) eap_tls: >>> send TLS 1.0 Handshake [length 00b4], CertificateRequest
(299) eap_tls: TLS_accept: SSLv3 write certificate request A
(299) eap_tls: TLS_accept: SSLv3 flush data
(299) eap_tls: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(299) eap_tls: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(299) eap_tls: In SSL Handshake Phase
(299) eap_tls: In SSL Accept mode
(299) eap_tls: [eaptls process] = handled
(299) eap: Sending EAP Request (code 1) ID 4 length 1004
(299) eap: EAP session adding &reply:State = 0x41fc0bf743f80689
(299) [eap] = handled
Post by Stefan Paetow
Post by Michael Martinez
#2) Is there a way to get more information from radius? It's unclear
whether Radius (a) received the client certificate but does not
understand it, or (b) did not receive the client certificate at all
As per the above link, chances are that the iPad didn't understand the cert, didn't like it, or something else is wrong with it, and subsequently said "Thanks but no thanks."
Stefan Paetow
Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125
gpg: 0x3FCE5142
skype: stefan.paetow.janet
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
---
Michael Martinez
http://www.michael--martinez.com

-
List info/subscribe/unsubscribe? See http://www.freeradi
Michael Martinez
2016-06-17 20:23:10 UTC
Permalink
We really need to get this working. We're stumped on it. Anybody have
any thoughts?
--
---
Michael Martinez
http://www.michael--martinez.com
-
List info/subscribe/un
Arran Cudbard-Bell
2016-06-17 20:25:52 UTC
Permalink
Post by Michael Martinez
We really need to get this working. We're stumped on it. Anybody have
any thoughts?
http://lemonjar.com/iosconsole/

Look through the logs.

See what the supplicant is doing.

-Arran
Michael Martinez
2016-06-18 17:40:13 UTC
Permalink
On Fri, Jun 17, 2016 at 1:25 PM, Arran Cudbard-Bell
Post by Arran Cudbard-Bell
http://lemonjar.com/iosconsole/
Look through the logs.
See what the supplicant is doing.
Excellent suggestion. Thanks.
Post by Arran Cudbard-Bell
Set disable_tlsv1_2 in the EAP module.
I'm not sure what that does, but I'll look into it. Thanks!
Post by Arran Cudbard-Bell
But realistically... see the client logs for why the client doesn't like the server.
Yes, I'm going to ask the IT guy to do this. thank you.

On Fri, Jun 17, 2016 at 1:34 PM, Arran Cudbard-Bell
Post by Arran Cudbard-Bell
There are, fortunately, and iOS devices well even send them to you over syslog :)
Good to know.

Thanks for the suggestions, guys. If we can get this working, then it
wraps up this project. This is the final little piece.
-
List info/subscribe/unsubscribe? See http://www
Alan DeKok
2016-06-17 20:26:08 UTC
Permalink
Post by Michael Martinez
We really need to get this working. We're stumped on it. Anybody have
any thoughts?
Set disable_tlsv1_2 in the EAP module.

But realistically... see the client logs for why the client doesn't like the server.

Oh, there are no client logs? The people who sold you the client hate you.

:(

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradi
Arran Cudbard-Bell
2016-06-17 20:34:59 UTC
Permalink
Post by Alan DeKok
Post by Michael Martinez
We really need to get this working. We're stumped on it. Anybody have
any thoughts?
Set disable_tlsv1_2 in the EAP module.
But realistically... see the client logs for why the client doesn't like the server.
Oh, there are no client logs? The people who sold you the client hate you.
There are, fortunately, and iOS devices well even send them to you over syslog :)

-Arran
Michael Martinez
2016-06-18 18:00:02 UTC
Permalink
Post by Alan DeKok
Post by Michael Martinez
We really need to get this working. We're stumped on it. Anybody have
any thoughts?
Set disable_tlsv1_2 in the EAP module.
Maybe slightly off-topic, but how do I find which ssl library my
freeradius server is compiled with? I do:
***@2-rpi:/usr/local/freeradius/etc/raddb# ldd
/usr/local/freeradius/sbin/radiusd
/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so (0xb6f7e000)
libfreeradius-server.so =>
/usr/local/freeradius/lib/libfreeradius-server.so (0xb6f4e000)
.....<snip>

But nothing about ssl libraries shows up there.

I do: strings /usr/local/freeradius/sbin/radiusd | grep -iE "openssl.*1"
and I see a lot of references to openssl 1.0.2.f:
Diffie-Hellman part of OpenSSL 1.0.2f 28 Jan 2016

so, pretty clear it's compiled against 1.0.2.f. But out of curiosity
is there a way to definitely find out?

And, it seems "disable_tlsv1_2" was added as a way to get around some
problems with older versions of openssl. But will it actually help in
my case?
-
List info/subscribe/unsubscribe? See http
Arran Cudbard-Bell
2016-06-18 18:09:29 UTC
Permalink
Post by Michael Martinez
Post by Alan DeKok
Post by Michael Martinez
We really need to get this working. We're stumped on it. Anybody have
any thoughts?
Set disable_tlsv1_2 in the EAP module.
Maybe slightly off-topic, but how do I find which ssl library my
/usr/local/freeradius/sbin/radiusd
/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so (0xb6f7e000)
libfreeradius-server.so =>
/usr/local/freeradius/lib/libfreeradius-server.so (0xb6f4e000)
.....<snip>
But nothing about ssl libraries shows up there.
libfreeradius-server.so links against libssl, radiusd and the utilities don't.

-Arran

Arran Cudbard-Bell <***@freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Arran Cudbard-Bell
2016-06-18 23:50:27 UTC
Permalink
Post by Michael Martinez
Post by Alan DeKok
Post by Michael Martinez
We really need to get this working. We're stumped on it. Anybody have
any thoughts?
Set disable_tlsv1_2 in the EAP module.
Maybe slightly off-topic, but how do I find which ssl library my
/usr/local/freeradius/sbin/radiusd
/usr/lib/arm-linux-gnueabihf/libcofi_rpi.so (0xb6f7e000)
libfreeradius-server.so =>
/usr/local/freeradius/lib/libfreeradius-server.so (0xb6f4e000)
.....<snip>
But nothing about ssl libraries shows up there.
I do: strings /usr/local/freeradius/sbin/radiusd | grep -iE "openssl.*1"
Diffie-Hellman part of OpenSSL 1.0.2f 28 Jan 2016
so, pretty clear it's compiled against 1.0.2.f. But out of curiosity
is there a way to definitely find out?
/usr/local/freeradius/sbin/radiusd -v

Is more accurate than using ldd. It calls a version function in OpenSSL
to get the version, it doesn't use compile time macros.
Post by Michael Martinez
And, it seems "disable_tlsv1_2" was added as a way to get around some
problems with older versions of openssl. But will it actually help in
my case?
Probably not. But just in case the apple supplicant is broken its worth trying.

-Arran

Arran Cudbard-Bell <***@freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Michael Martinez
2016-06-22 17:12:28 UTC
Permalink
On Sat, Jun 18, 2016 at 4:50 PM, Arran Cudbard-Bell
Post by Arran Cudbard-Bell
/usr/local/freeradius/sbin/radiusd -v
Is more accurate than using ldd. It calls a version function in OpenSSL
to get the version, it doesn't use compile time macros.
Awesome, thanks.

FYI, we were able to crack open the iPad logs, and found the following
interesting entries:

Jun 21 14:15:03 iPad eapolclient[178] <Error>: SecTrustEvaluate [leaf
AnchorTrusted]
Jun 21 14:15:03 iPad eapolclient[178] <Notice>: [eaptls_plugin.c:291]
eaptls_verify_server(): server certificate not trusted status 1001 ­9807
Jun 21 14:15:03 iPad kernel[0] <Notice>: 000220.437816 wlan0.N[82]
AppleBCMWLANCore::setCIPHER_KEY(): [eapolclient]: type = CIPHER_MSK, index =
0, flags = 0x0, key length = 0, key rsc length = 0
Jun 21 14:15:03 iPad eapolclient[178] <Notice>: en0 EAP­TLS:
authentication failed with
status 1001

So, it appears we need to set the iPad to trust my self-signed server
certificate, and then it should work.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/user
Michael Martinez
2016-06-22 17:16:10 UTC
Permalink
Ok I may have spoken too soon. I just found this online:
"Apparently starting with iOS 9.1, if the RADIUS cert does not contain
the "Key Encipherment" flag, iOS will reject authentication with:
Oct 1 11:27:29.752545 TiPadAir2 eapolclient[455]:
[eaptls_plugin.c:292] eaptls_verify_server(): server certificate not
trusted status 1001 -9807"

I'm guessing this is probably what I need to do to get this to work.
Anyone know what this "Key Encipherment" flag is, and how to include
it in the Radius cert?
Post by Michael Martinez
On Sat, Jun 18, 2016 at 4:50 PM, Arran Cudbard-Bell
Post by Arran Cudbard-Bell
/usr/local/freeradius/sbin/radiusd -v
Is more accurate than using ldd. It calls a version function in OpenSSL
to get the version, it doesn't use compile time macros.
Awesome, thanks.
FYI, we were able to crack open the iPad logs, and found the following
Jun 21 14:15:03 iPad eapolclient[178] <Error>: SecTrustEvaluate [leaf
AnchorTrusted]
Jun 21 14:15:03 iPad eapolclient[178] <Notice>: [eaptls_plugin.c:291]
eaptls_verify_server(): server certificate not trusted status 1001 ­9807
Jun 21 14:15:03 iPad kernel[0] <Notice>: 000220.437816 wlan0.N[82]
AppleBCMWLANCore::setCIPHER_KEY(): [eapolclient]: type = CIPHER_MSK, index =
0, flags = 0x0, key length = 0, key rsc length = 0
authentication failed with
status 1001
So, it appears we need to set the iPad to trust my self-signed server
certificate, and then it should work.
--
---
Michael Martinez
http://www.michael--martinez.com

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/user
Alan DeKok
2016-06-22 17:44:04 UTC
Permalink
Post by Michael Martinez
"Apparently starting with iOS 9.1, if the RADIUS cert does not contain
[eaptls_plugin.c:292] eaptls_verify_server(): server certificate not
trusted status 1001 -9807"
That's not *quite* what it says:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/iOS-OSX-Security-Changes-and-ClearPass/td-p/247291

... It turns out that if you use a ClearPass-signed RADIUS certificate and you do not specify https as the certificate type when you sign the CSR, ...

I haven't seen any problems with iOS.
Post by Michael Martinez
I'm guessing this is probably what I need to do to get this to work.
Anyone know what this "Key Encipherment" flag is, and how to include
it in the Radius cert?
My guess is that you created a server certifcate without the xpextensions file. i.e. printing a *good* certificate gets me:

...
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 CRL Distribution Points:
URI:http://www.example.com/example_ca.crl
...

Your server certificate is probably missing those extensions.

Fix that, and you won't need the key usage flag.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freer
Michael Martinez
2016-06-22 18:18:11 UTC
Permalink
Post by Alan DeKok
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/iOS-OSX-Security-Changes-and-ClearPass/td-p/247291
... It turns out that if you use a ClearPass-signed RADIUS certificate and you do not specify https as the certificate type when you sign the CSR, ...
I haven't seen any problems with iOS.
...
TLS Web Server Authentication
URI:http://www.example.com/example_ca.crl
...
Your server certificate is probably missing those extensions.
I'm using the Makefile which is included in the
freeradius/examples/certs folder, and it already includes
xpextensions. Here's what I see when I double-check my server.crt:
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 CRL Distribution Points:

Full Name:
URI:http://www.example.com/example_ca.crl

Any other thoughts or suggestions?
-
List info/subscribe/unsu
Alan DeKok
2016-06-22 18:39:19 UTC
Permalink
Post by Michael Martinez
I'm using the Makefile which is included in the
freeradius/examples/certs folder, and it already includes
Then I don't know. I use iOS devices every day with FreeRADIUS, and I've never seen that error.

Alan DeKok.


-
List info/subscribe/unsubscri
A***@lboro.ac.uk
2016-06-22 20:44:54 UTC
Permalink
Hi,
Post by Michael Martinez
I'm using the Makefile which is included in the
freeradius/examples/certs folder, and it already includes
what age/version of the server - the Makefiule has been changes a lot - we keep up with requirements..... its likely for example, that with old makefil you
still have eg MD5 root CA or server cert - iOS 9 will *not* like that - use
SHA-256 now - grab latest source code/Makefile....

we havent done anything special with our local CA and RADIUS server
cert - iOS devices all fine. (how are you deploying config - getting the
root CA onto the devices - a mobileconfig file? )

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/li
Michael Martinez
2016-06-28 00:12:08 UTC
Permalink
Happy to report this issue was resolved by going onto the iPad and
importing and trusting the radius server public cert. Nothing needed
to be done on the server side.
Post by A***@lboro.ac.uk
Hi,
Post by Michael Martinez
I'm using the Makefile which is included in the
freeradius/examples/certs folder, and it already includes
what age/version of the server - the Makefiule has been changes a lot - we keep up with requirements..... its likely for example, that with old makefil you
still have eg MD5 root CA or server cert - iOS 9 will *not* like that - use
SHA-256 now - grab latest source code/Makefile....
we havent done anything special with our local CA and RADIUS server
cert - iOS devices all fine. (how are you deploying config - getting the
root CA onto the devices - a mobileconfig file? )
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
---
Michael Martinez
http://www.michael--martinez.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.or
Matthew Newton
2016-06-22 20:27:55 UTC
Permalink
Post by Alan DeKok
Then I don't know. I use iOS devices every day with
FreeRADIUS, and I've never seen that error.
Ditto.
Post by Alan DeKok
So, it appears we need to set the iPad to trust my self-signed server
certificate, and then it should work.
This makes me wonder.

Have you tried with a standard CAcert/Server Cert, rather than
self-signed?

Trust the CAcert on the device, not a self-signed server cert.

Matthew
--
Matthew Newton, Ph.D. <***@leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <***@le.ac.uk>
-
List info/subscribe/unsubscribe? See ht
Loading...