Re: Cannot run "TLS" and "LEAP" configuration

From: Dan Williams <dcbw redhat com>
To: Ajay Garg <ajaygargnsit gmail com>
Cc: networkmanager-list gnome org
Subject: Re: Cannot run "TLS" and "LEAP" configuration
Date: Sat, 03 Dec 2011 14:47:11 -0600

On Sat, 2011-12-03 at 12:50 +0530, Ajay Garg wrote:
> Thanks Dan for the reply.
> 
> I tried your suggestions, and here are the findings ::
> 
> 1. I first tried to get the "Connect" button activated somehow.
>     So, using the File-Choose-widget for "Private Key"in nm-applet, I
> navigated to "/usr/local/etc/raddb/certs" directory, and could ONLY
> see 
>     "client.p12" (in nm-applet-file-choose-widget that is.)
>     So, I selected it, as the "Private Key" (assuming that it was only
> the legitimate entry :-)
> 
> 2. I then entered "whatever" as the "Private Key Password". The
> "Connect" button got activated (and it got activated only when  I
> typed "whatever", 
>     and nothing else).

PKCS#12 files contain both the client certificate and the private key,
which is why the chooser is grayed out, because it should show the
same .p12 file in both entries.

> 3. So, I believe, steps 1 and 2, are kind of forced by the nm-applet.
> Good.
> 
> 4. Also, I entered "/usr/local/etc/raddb/certs/ca.pem" as the "CA
> certificate".
> 
> 5. The "Client Certificate" field had become deactivated/insensitive,
> after following steps 1 and 2. So, I believe that is not required.

Right; the p12 contains both so they must be the same, and the applet
enforces that.

> 6. I changed permissions for "/usr/local/etc/raddb/certs/client.p12"
> and "/usr/local/etc/raddb/certs/ca.pem" to 0777.

Shouldn't need to do that, you should only need them readable by
everyone (0644).

> 7. I clicked "Connect".
> 
> 8. There was a lot of activity on the freeradius server side. The
> error I could figure out was as following ::
> 
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------
> TLS Alert read:fatal:decrypt error
>     TLS_accept: failed in SSLv3 read client certificate A
> rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1
> alert decrypt error
> SSL: SSL_read failed inside of TLS (-1), TLS session fails.
> -----------------------------------------------------------------------------------------------------------------------------------------------------------------

First off I'd try to use openssl to unpack the p12 file and show the
contents including dumping the private key and client cert to text just
to make sure that they aren't corrupted.  Next, make sure the cipher
you're using in the private key and the hash algorithm that the client
cert is using are supported by the OpenSSL implementation on the
freeradius server.

And just to  make sure, try running wpa_supplicant by itself by stopping
NetworkManager and creating a wpa_supplicant config file with the right
options (you'll see what NM is sending in /var/log/messages which you
might be able to use as a basis) and see if that has the same problems.
If it does, then the problem is likely with the certificate, freeradius,
wpa_supplicant, or a combination of the three.

Beyond that, I don't know; you probably want to follow up with the
freeradius project since this is not my area of expertise.  But what I
can say is that it appears that everything NM-related is working
correctly, since the client is able to talk to the RADIUS server and
begin the EAP exchange.

Dan

References:
- Cannot run "TLS" and "LEAP" configuration
  - From: Ajay Garg
- Re: Cannot run "TLS" and "LEAP" configuration
  - From: Ajay Garg
- Re: Cannot run "TLS" and "LEAP" configuration
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]