<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px"><div id="yui_3_16_0_1_1456410671702_2725"><span id="yui_3_16_0_1_1456410671702_2873">As for "access_denied", rfc5246 says:</span></div><div id="yui_3_16_0_1_1456410671702_2725"><span><br></span></div><pre class="" style="font-size: 13.3333px; margin-top: 0px; margin-bottom: 0px; page-break-before: always;" id="yui_3_16_0_1_1456410671702_2872"> access_denied
A valid certificate was received, but when access control was
applied, the sender decided not to proceed with negotiation. This
message is always fatal.</pre><pre class="" style="font-size: 13.3333px; margin-top: 0px; margin-bottom: 0px; page-break-before: always;" id="yui_3_16_0_1_1456410671702_2872"><br></pre><pre class="" style="font-size: 13.3333px; margin-top: 0px; margin-bottom: 0px; page-break-before: always;" id="yui_3_16_0_1_1456410671702_2872">For example, what is the situation indicating this?</pre><pre class="" style="font-size: 13.3333px; margin-top: 0px; margin-bottom: 0px; page-break-before: always;" id="yui_3_16_0_1_1456410671702_2872"><br></pre><pre class="" style="font-size: 13.3333px; margin-top: 0px; margin-bottom: 0px; page-break-before: always;" id="yui_3_16_0_1_1456410671702_2872">Regards,</pre> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Thursday, 25 February 2016, 16:58, yukou katori <k10lie.tech@yahoo.co.uk> wrote:<br></font></div> <br><br> <div class="y_msg_container"><div id="yiv6913961768"><div><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px;"><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036">Hi,</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036"><br></div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036">I'm setting up EAP-TTLS-Radius client on StrongSwan5.3.5.</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036"><br></div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr">Client(StrongSwan5.3.5) --- authenticator --- TTLS Server/Radius Server(Freeradius2.1.12)</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036"><br></div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr">I got the following error when the Client tries to connect.</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr">> Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=AAA, O=OOO, CN=TEST'</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr"><br></div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr">I installed certification of the server:</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr">ipsec.d/certs/<br></div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr"><br></div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr" class="yiv6913961768">/usr/local/etc/ipsec.d# ls certs/</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr" class="yiv6913961768">server.pem</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr"><br></div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr" class="yiv6913961768">When I checked by "ipsec listall", no item about "<span style="font-family:'Courier New';white-space:pre-wrap;" id="yiv6913961768yui_3_16_0_1_1456379109609_5395" class="yiv6913961768">List of X.509 End Entity Certificates"</span> is listed up.</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr"><br></div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr">Is it wrong about the way to store certificate?</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr">Or another reason? (e.g. plugin is not enough)</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr"><br></div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr">Regards,</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr"><br></div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" dir="ltr">Log:</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" class="yiv6913961768">Feb 25 14:41:13 tester charon: 05[TLS] negotiated TLS 1.0 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" class="yiv6913961768">Feb 25 14:41:13 tester charon: 05[TLS] processing TLS Handshake record (708 bytes)</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" class="yiv6913961768">Feb 25 14:41:13 tester charon: 05[TLS] received TLS Certificate handshake (704 bytes)</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" class="yiv6913961768">Feb 25 14:41:13 tester charon: 05[LIB] signature verification:</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" class="yiv6913961768">Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=ES, O=ACCV, CN=ACCVRAIZ1'</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" class="yiv6913961768">Feb 25 14:41:13 tester charon: 05[TLS] buffering 254 bytes, 254 bytes of 530 byte TLS record received</div><div id="yiv6913961768yui_3_16_0_1_1456379109609_5036" class="yiv6913961768" dir="ltr">Feb 25 14:41:13 tester charon: 05[TLS] sending fatal TLS alert 'access denied'</div></div></div></div><br>_______________________________________________<br>Users mailing list<br><a ymailto="mailto:Users@lists.strongswan.org" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br><br></div> </div> </div> </div></div></body></html>