[Eisfair] Problem mit neuer libssl! und freeradius?
Stephan Manske
usenet-reply at stephan.manske-net.de
Mo Jan 16 16:31:55 CET 2012
Hallo!
Ich habe heute ein massives Problem in der Cert-Verarbeitung meines
freeradius-Pakets bekommen:
Wenn sich ein Client mit einem Zertifikat anmelden will, klappt das
nicht:
Client 1:
Info: Ready to process requests.
Error: --> verify error:num=8:CRL signature failure
Error: TLS Alert write:fatal:decrypt error
Error: TLS_accept: error in SSLv3 read client certificate B
Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1
Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Auth: Login incorrect (CRL signature failure): [SMARTPHONE/<via Auth-Type =
Error: --> verify error:num=8:CRL signature failure
Error: TLS Alert write:fatal:decrypt error
Error: TLS_accept: error in SSLv3 read client certificate B
Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1
Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Auth: Login incorrect (CRL signature failure): [SMARTPHONE/<via Auth-Type =
Error: --> verify error:num=8:CRL signature failure
Error: TLS Alert write:fatal:decrypt error
Error: TLS_accept: error in SSLv3 read client certificate B
Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1
Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Auth: Login incorrect (CRL signature failure): [SMARTPHONE/<via Auth-Type =
Error: --> verify error:num=8:CRL signature failure
Error: TLS Alert write:fatal:decrypt error
Error: TLS_accept: error in SSLv3 read client certificate B
Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1
Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Auth: Login incorrect (CRL signature failure): [SMARTPHONE/<via Auth-Type =
Client 2:
Info: Ready to process requests.
Error: --> verify error:num=7:certificate signature failure
Error: TLS Alert write:fatal:decrypt error
Error: TLS_accept: error in SSLv3 read client certificate B
Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Auth: Login incorrect (certificate signature failure): [LAPTOP/<via Auth-Type = EAP>] (from client wlan-ap port 3 cli 000e2e522e7f)
Error: --> verify error:num=7:certificate signature failure
Error: TLS Alert write:fatal:decrypt error
Error: TLS_accept: error in SSLv3 read client certificate B
Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Auth: Login incorrect (certificate signature failure): [LAPTOP/<via Auth-Type = EAP>] (from client wlan-ap port 3 cli 000e2e522e7f)
Error: --> verify error:num=7:certificate signature failure
Error: TLS Alert write:fatal:decrypt error
Error: TLS_accept: error in SSLv3 read client certificate B
Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01
Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
Auth: Login incorrect (certificate signature failure): [LAPTOP/<via Auth-Type = EAP>] (from client wlan-ap port 3 cli 000e2e522e7f)
Ich habe dies erst heute bemerkt, weil die anderen clients user/pass
verwenden; die letzte geglückte Zertifikat war vor rund einer Woche.
Die Zertifikate sind dieselben, sie sind nicht abgelaufen, die crl
habe ich erneuert ...
Das einzige, was ich in den letzten Tagen verändert habe ist ein
Update von Library: Neon und damit auch der libssl(-dev) (Library: OpenSSL).
Nutzt noch jemand freeradius mit Zertifikaten zur Anmeldung und hat
mit der neuen libssl-Version Probleme?
Kann ich zum Testen irgendwoher die letzte libssl-Version bekommen?
Ciao, Stephan
--
E-Mail: stephan at manske-net.de - WWW: http://stephan.manske-net.de/ //
PGP 2.6.3i \X/
Pilot: "...Tower, please call me a fuel truck."
Tower: "Roger. You are a fuel truck."
Mehr Informationen über die Mailingliste Eisfair