在进行802.1x 测试时遇到如下问题:

Waking up in 4.6 seconds.
(156) Received Access-Request Id 82 from 192.168.1.126:44896 to 192.168.1.122:1812 length 524
(156)   User-Name = "dddddd"
(156)   Called-Station-Id = "70-CC-CC-E3-00-91:myssid"
(156)   NAS-Port-Type = Wireless-802.11
(156)   NAS-Port = 1
(156)   Calling-Station-Id = "70-CC-CC-E1-22-35"
(156)   Connect-Info = "CONNECT 54Mbps 802.11g"
(156)   Acct-Session-Id = "59BD3E8C-000000DB"
(156)   Framed-MTU = 1400
(156)   EAP-Message = 0x025101580d0016030100070b00000300000016030101061000010201005334a243b0db1f6b723285cb5c7e721c0c14fde8164460fdf99b40e26ef1e98c4388577b61732cf224c668bd961722be74963d055c18293b95d9ed937e331d4ad0f0afaba131a9a3d1c8d1b44d201a9a26ff9ddf6b26deb7ee58
(156)   State = 0xf8598809fd08850a5fc36ea7518e8167
(156)   Message-Authenticator = 0x33eb613f3409a98c69ee6ab0e649785b
(156) session-state: No cached attributes
(156) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(156)   authorize {
(156)     policy filter_username {
(156)       if (&User-Name) {
(156)       if (&User-Name)  -> TRUE
(156)       if (&User-Name)  {
(156)         if (&User-Name =~ / /) {
(156)         if (&User-Name =~ / /)  -> FALSE
(156)         if (&User-Name =~ /@[^@]*@/ ) {
(156)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(156)         if (&User-Name =~ /\.\./ ) {
(156)         if (&User-Name =~ /\.\./ )  -> FALSE
(156)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(156)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(156)         if (&User-Name =~ /\.$/)  {
(156)         if (&User-Name =~ /\.$/)   -> FALSE
(156)         if (&User-Name =~ /@\./)  {
(156)         if (&User-Name =~ /@\./)   -> FALSE
(156)       } # if (&User-Name)  = notfound
(156)     } # policy filter_username = notfound
(156)     [preprocess] = ok
(156)     [chap] = noop
(156)     [mschap] = noop
(156)     [digest] = noop
(156) suffix: Checking for suffix after "@"
(156) suffix: No '@' in User-Name = "dddddd", looking up realm NULL
(156) suffix: No such realm "NULL"
(156)     [suffix] = noop
(156) eap: Peer sent EAP Response (code 2) ID 81 length 344
(156) eap: No EAP Start, assuming it's an on-going EAP conversation
(156)     [eap] = updated
(156) files: users: Matched entry huwomo at line 221
(156)     [files] = ok
(156)     [expiration] = noop
(156)     [logintime] = noop
(156) pap: WARNING: Auth-Type already set.  Not setting to PAP
(156)     [pap] = noop
(156)   } # authorize = updated
(156) Found Auth-Type = eap
(156) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(156)   authenticate {
(156) eap: Expiring EAP session with state 0xf8598809fd08850a
(156) eap: Finished EAP session with state 0xf8598809fd08850a
(156) eap: Previous EAP request found for state 0xf8598809fd08850a, released from the list
(156) eap: Peer sent packet with method EAP TLS (13)
(156) eap: Calling submodule eap_tls to process data
(156) eap_tls: Continuing EAP-TLS
(156) eap_tls: [eaptls verify] = ok
(156) eap_tls: Done initial handshake
(156) eap_tls: <<< recv TLS 1.0 Handshake [length 0007], Certificate
(156) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure
(156) eap_tls: ERROR: TLS Alert write:fatal:handshake failure
tls: TLS_accept: Error in error
(156) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate
(156) eap_tls: ERROR: System call (I/O) error (-1)
(156) eap_tls: ERROR: TLS receive handshake failed during operation
(156) eap_tls: ERROR: [eaptls process] = fail
(156) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
(156) eap: Sending EAP Failure (code 4) ID 81 length 4
(156) eap: Failed in EAP select
(156)     [eap] = invalid
(156)   } # authenticate = invalid
(156) Failed to authenticate the user
(156) Using Post-Auth-Type Reject
(156) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(156)   Post-Auth-Type REJECT {
(156) attr_filter.access_reject: EXPAND %{User-Name}
(156) attr_filter.access_reject:    --> huwomo
(156) attr_filter.access_reject: Matched entry DEFAULT at line 11
(156)     [attr_filter.access_reject] = updated
(156)     [eap] = noop
(156)     policy remove_reply_message_if_eap {
(156)       if (&reply:EAP-Message && &reply:Reply-Message) {
(156)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(156)       else {
(156)         [noop] = noop
(156)       } # else = noop
(156)     } # policy remove_reply_message_if_eap = noop
(156)   } # Post-Auth-Type REJECT = updated
(156) Login incorrect (eap_tls: TLS Alert write:fatal:handshake failure): [huwomo] (from client hwm port 1 cli 78-C2-C0-E1-22-35)
(156) Delaying response for 1.000000 seconds

EAP-TLS  测试过程中, freeradius 服务器端报错如上,没有得到client端正确的证书。

而 client端 报出的错误是  密钥解析错误,跟踪 wpa_supplicant 代码,得到如下内容:

Thu Sep 21 17:35:18 2017 user.debug syslog: eap_peer_sm_step_received 697
Thu Sep 21 17:35:18 2017 user.debug syslog: EAP: Status notification: started (param=)
Thu Sep 21 17:35:19 2017 user.debug syslog: EAP: Status notification: refuse proposed method (param=PEAP)
Thu Sep 21 17:35:19 2017 user.debug syslog: EAP: Status notification: accept proposed method (param=TLS)
Thu Sep 21 17:35:19 2017 user.debug syslog: sm_EAP_GET_METHOD_Enter 290, selectedMethod : 0, reqMethod : 13
Thu Sep 21 17:35:19 2017 user.debug syslog: EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
Thu Sep 21 17:35:19 2017 user.debug syslog: asn1_parse_oid 95 
Thu Sep 21 17:35:19 2017 user.debug syslog: crypto_private_key_import 50
Thu Sep 21 17:35:19 2017 user.debug syslog: pkcs8_enc_key_import 156 class : 0, tag : d
Thu Sep 21 17:35:19 2017 user.debug syslog: Trying to parse PKCS #1 encoded RSA private key
Thu Sep 21 17:35:19 2017 user.debug syslog: crypto_rsa_import_private_key 199 class : 0, tag : d
Thu Sep 21 17:35:19 2017 user.debug syslog: crypto_private_key_import 44
Thu Sep 21 17:35:19 2017 user.debug syslog: pkcs8_key_import 27
Thu Sep 21 17:35:19 2017 user.debug syslog: pkcs8_key_import 45 class : 0, tag : 10
Thu Sep 21 17:35:19 2017 user.debug syslog: crypto_private_key_import 50
Thu Sep 21 17:35:19 2017 user.debug syslog: pkcs5_decrypt 187
Thu Sep 21 17:35:19 2017 user.debug syslog: pkcs5_get_params 54
Thu Sep 21 17:35:19 2017 user.debug syslog: asn1_parse_oid 95
Thu Sep 21 17:35:19 2017 user.debug syslog: PKCS #5: encryption algorithm 1.2.840.113549.1.5.13
Thu Sep 21 17:35:19 2017 user.debug syslog: PKCS #5: unsupported encryption algorithm 1.2.840.113549.1.5.13
Thu Sep 21 17:35:19 2017 user.debug syslog: Trying to parse PKCS #1 encoded RSA private key
Thu Sep 21 17:35:19 2017 user.debug syslog: crypto_rsa_parse_integer 41
Thu Sep 21 17:35:19 2017 user.debug syslog: crypto_rsa_import_private_key 213
Thu Sep 21 17:35:19 2017 user.debug syslog: TLSv1: Failed to parse private key
Thu Sep 21 17:35:19 2017 user.debug syslog: eap_tls_init_connection 194 res : -1
Thu Sep 21 17:35:19 2017 user.debug syslog: EAP-TLS: Start
Thu Sep 21 17:35:19 2017 user.debug syslog: SSL: Building ACK (type=13 id=217 ver=0)
Thu Sep 21 17:35:19 2017 user.debug syslog: SSL: Building ACK (type=13 id=218 ver=0)
Thu Sep 21 17:35:19 2017 user.debug syslog: SSL: Building ACK (type=13 id=219 ver=0)
Thu Sep 21 17:35:24 2017 user.debug syslog: EAP: Status notification: completion (param=failure)

在 tlsv1_set_key 中使用 PKCS#1 /  PKCS#5  / PKCS#8 方式解析密钥文件,均解析错误。

static int tlsv1_set_key(struct tlsv1_credentials *cred,
    const u8 *key, size_t len, const char *passwd)
{
 syslog(LOG_DEBUG, "%s %d", __func__, __LINE__);
 cred->key = crypto_private_key_import(key, len, passwd);
 if (cred->key == NULL)
  cred->key = tlsv1_set_key_pem(key, len);

if (cred->key == NULL)
  cred->key = tlsv1_set_key_enc_pem(key, len, passwd);
 
 if (cred->key == NULL) {
  syslog(LOG_DEBUG, "TLSv1: Failed to parse private key");
  wpa_printf(MSG_INFO, "TLSv1: Failed to parse private key");
  return -1;
 }
 return 0;
}

其中 使用PKCS#5 解析时,报错如下:

Thu Sep 21 17:35:19 2017 user.debug syslog: PKCS #5: encryption algorithm 1.2.840.113549.1.5.13
Thu Sep 21 17:35:19 2017 user.debug syslog: PKCS #5: unsupported encryption algorithm 1.2.840.113549.1.5.13

查找代码,在函数 pkcs5_get_params 中,解析params->alg = pkcs5_get_alg(&oid); 时,值应该为

static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid)
{
 if (oid->len == 7 &&
     oid->oid[0] == 1 /* iso */ &&
     oid->oid[1] == 2 /* member-body */ &&
     oid->oid[2] == 840 /* us */ &&
     oid->oid[3] == 113549 /* rsadsi */ &&
     oid->oid[4] == 1 /* pkcs */ &&
     oid->oid[5] == 5 /* pkcs-5 */ &&
     oid->oid[6] == 3 /* pbeWithMD5AndDES-CBC */)    
  return PKCS5_ALG_MD5_DES_CBC;

return PKCS5_ALG_UNKNOWN;
}

错在最后一位不相符。

通过查看  OID 节点 网页 http://oidref.com/   上相关内容得知:

1.2.840.113549.1.5.13    pkcs5 pebs2

1.2.840.113549.1.5.3        pbeWithMD5AndDES-CBC

两者加密的方式不同,  前者为 pebs2,  后者为 md5 des-cbc.

查看wpa-supplicant 修改日志, 得知  2016-10-2,V2.6  的修改日志中记录

	* TLS client

	  - do not verify CA certificates when ca_cert is not specified

	  - support validating server certificate hash

	  - support SHA384 and SHA512 hashes

	  - add signature_algorithms extension into ClientHello

	  - support TLS v1.2 signature algorithm with SHA384 and SHA512

	  - support server certificate probing

	  - allow specific TLS versions to be disabled with phase2 parameter

	  - support extKeyUsage

	  - support PKCS #5 v2.0 PBES2

	  - support PKCS #5 with PKCS #12 style key decryption

	  - minimal support for PKCS #12

	  - support OCSP stapling (including ocsp_multi)

了加入了对PEBS2的解析。

因此将代码升级到相应版本,问题解决。

此处留有疑问的是: 由于使用git使用的较少, 也懒的移植最新的wpa-supplicant的代码到openwrt  bb版本,从trunk版本上更新了hostapd代码为 2016-01-15  的版本也支持,不知道git跟 官网是怎样对应的。

freeradius 错误: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate的更多相关文章

  1. delphi indy Idhttp error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version

    在使用 indy 中的 idhttp 组件访问 https 网站时,出现如下错误: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert pr ...

  2. last error : SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate veri

    今天在用搜狐提供的邮件群发系统的sdk,做发送邮件的测试时,提示: last error : SSL certificate problem, verify that the CA cert is O ...

  3. 重装@angular/cli reason: write EPROTO 139955972261696:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:252:

    前几天不小心卸载了 angular@cli,然后重装的时候发现,一直报错.如下: ××××××××@××××ln622653:/$ npm install -g @angular/clinpm ERR ...

  4. composer在update时提示file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO

    在开发的时候,需要把依赖的服务更新到最新,然后 手动composer update一下,提示如下: failed) Update failed (The "e "https://a ...

  5. 【问题与解决】Github 上传代码报错(error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version)

    今天修改了GitHub 的代码,代码更新,想上传更新,却发现上传报错. 错误代码:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 al ...

  6. centos8 curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small

    centos8操作系统,curl -k https:/www.xxx.com 报错  curl: (35) error:141A318A:SSL routines:tls_process_ske_dh ...

  7. Loadrunner回放https脚本时出现错误Error -27780 Connection reset by peer解决办法

    录制好的https协议的web脚本,在脚本回放时会出现Error -27780: [GENERAL_MSG_CAT_SSL_ERROR]connect to host "......&quo ...

  8. nginx 报错:[crit] 12456#0: *5 SSL_do_handshake() failed (SSL: error:1408A0A0:SSL routines:SSL3_GET_CLIENT_HELLO

    解决方法: 将配置 listen ssl; 更换为: listen ; ssl on; 从版本1.15.0开始,ssl on; 指令被废弃,使用 listen 443 ssl; 代替. 具体查看官网: ...

  9. wget 报错 OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failur

    解决办法 换成 curl -O -L xxxxxxxx

随机推荐

  1. 前端学习 -- Html&Css -- 层级和透明度

    层级 如果定位元素的层级是一样,则下边的元素会盖住上边的. 通过z-index属性可以用来设置元素的层级,可以为z-index指定一个正整数作为值,该值将会作为当前元素的层级,层级越高,越优先显示. ...

  2. android + eclipse + 后台静默安装(一看就会)

      首先要说到三个类. import android.content.pm.IPackageInstallObserver; import android.content.pm.IPackageIns ...

  3. 【CF1076D】Edge Deletion 最短路+贪心

    题目大意:给定 N 个点 M 条边的无向简单联通图,留下最多 K 条边,求剩下的点里面从 1 号顶点到其余各点最短路大小等于原先最短路大小的点最多怎么构造. 题解:我们可以在第一次跑 dij 时直接采 ...

  4. javascript高级程序设计第二章知识点提炼

    这是我整理的javascript高级程序设计第二章的脑图,内容也是非常浅显与简单.希望您看了我的博客能够给我一些意见或者建议.

  5. mvc4+entityFramework5 发布时遇到的纠结问题

    最近在研究微软的新平台Vs2012,做好的系统在发布到服务器时纠结了.本地环境是win7的,一切运行正常,发布也很顺利.可是悲催的服务器还是windows 2003的,.net framewrok4. ...

  6. java连接数据库读取数据出现乱码

    因为这是通用编码,像中国通常使用的GBK.GB2312.Big5等只是针对中文而言,但是对其他文字就不适用了,为了使得这个问题的解决具有文字编码通用性,所以我这里设定了UTF8这个编码. 编码一致性涉 ...

  7. [译]Golang中的优雅重启

    原文 Graceful Restart in Golang 作者 grisha 声明:本文目的仅仅作为个人mark,所以在翻译的过程中参杂了自己的思想甚至改变了部分内容,其中有下划线的文字为译者添加. ...

  8. python influxdb

    Git:https://github.com/influxdata/influxdb-python 帮助文档:http://influxdb-python.readthedocs.io/en/late ...

  9. 对entry-common.S和call.S的部分理解1

    内核版本: linux-2.6.30.4 文件: linux-2.6.30.4/arch/arm/kernel/entry-common.S linux-2.6.30.4/arch/arm/kerne ...

  10. 离线方式部署Ambari2.6.0.0

    Hadoop生态圈-离线方式部署Ambari2.6.0.0 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 我现在所在的公司用的是CDH管理Hadoop集群,前端时间去面试时发现很多 ...