[strongSwan] TLS handshake negotiation fail

yukou katori k10lie.tech at yahoo.co.uk
Sun Feb 28 07:19:44 CET 2016 

Hi, Noel
Thanks.I complied again to isolate this problem.The reason why no item about certificates was shown by "ipsec listall" came from that I imported incorrect certificate from FreeRadius.Now I could get the item about CA by "ipsec install".
But I get the same error yet.
What does "access denied" mean?This is for TLS 1.2 but, it means:   access_denied      A valid certificate was received, but when access control was      applied, the sender decided not to proceed with negotiation.  This      message is always fatal.   from rfc5246
Access control?
I complied like this:./configure --prefix=/usr/local --sysconfdir=/usr/local/etc --enable-eap-identity --enable-eap-tls --enable-eap-peap --enable-eap-ttls --enable-eap-mschapv2 --enable-eap-md5
Regards,

////// debug of StrongSwan.///Sun Feb 28 10:28:54 2016 : Info: [ttls] <<< TLS 1.0 Alert [length 0002], fatal access_deniedSun Feb 28 10:28:54 2016 : Error: TLS Alert read:fatal:access deniedSun Feb 28 10:28:54 2016 : Error:     TLS_accept: failed in SSLv3 read client certificate ASun Feb 28 10:28:54 2016 : Error: rlm_eap: SSL error error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access deniedSun Feb 28 10:28:54 2016 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.Sun Feb 28 10:28:54 2016 : Debug: TLS receive handshake failed during operation

////// config of ipsec.conf///root at eNB-3:/usr/local/etc# cat ipsec.conf# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup        charondebug="tls 4, ike 4, lib 4"
conn %default        ikelifetime=60m        keylife=20m        rekeymargin=3m        keyingtries=1        keyexchange=ikev2
conn eap-ttls-rad1        left=192.168.31.10        leftsourceip=%config        leftid=test1 at test        leftauth=eap        #leftauth2=md5        right=192.168.120.254        #rightcert=/usr/local/etc/ipsec.d/certs/Radius-1_Svr_cert        rightid=Radius-1 at test        rightsubnet=2.0.0.1/32        rightauth=pubkey        #rightauth2=md5        aaa_identity="C=JP, O=XXX, CN=Radius-1_svr at test"        auto=add

////// output of "ipsec listall"///root at eNB-3:/usr/local/etc# ipsec listall
List of X.509 CA Certificates:
  subject:  "C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_CA at XXX.com, E=yukou.katori at XXX.com"  issuer:   "C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_CA at XXX.com, E=yukou.katori at XXX.com"  serial:    91:72:72:2d:af:3f:7c:73  validity:  not before Feb 28 01:02:24 2016, ok             not after  Feb 27 01:02:24 2017, ok  pubkey:    RSA 2048 bits  keyid:     e5:a7:66:c8:00:8f:8a:3a:72:7a:b3:af:ef:6c:e5:a4:3f:bb:51:16  subjkey:   52:f7:97:13:61:a5:c5:0c:df:ae:cf:96:95:7f:a3:23:39:d0:b3:53  authkey:   52:f7:97:13:61:a5:c5:0c:df:ae:cf:96:95:7f:a3:23:39:d0:b3:53
List of registered IKE algorithms:(snip)

Just for info, user configuration of FreeRadius is fine.////// about Server's certificate/// CN=Radius-1_svr at tes was issued by CN=Radius-1_SA///root at Radius-1:/usr/lib/ssl/misc#  openssl x509 -text -noout -in Radius-1_Svr_certCertificate:    Data:        Version: 3 (0x2)        Serial Number: 0 (0x0)    Signature Algorithm: sha256WithRSAEncryption        Issuer: C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_CA at test/emailAddress=yukou.katori at test        Validity            Not Before: Feb 27 16:18:46 2016 GMT            Not After : Feb 26 16:18:46 2017 GMT        Subject: C=JP, ST=Some-State, O=XXX, OU=TSO, CN=Radius-1_svr at test/emailAddress=yukou.katori at test        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                Public-Key: (2048 bit)                Modulus:
////// users/// user configuration seems fine...///test1 at test Cleartext-Password := "test1 at test"

/etc/freeradius/wpa_supplicant-2.5/wpa_supplicant# ./eapol_test -c eap-ttls.conf -s testing123 -a 127.0.0.1Reading configuration file 'eap-ttls.conf'eap methods - hexdump(len=16): 00 00 00 00 15 00 00 00 00 00 00 00 00 00 00 00identity - hexdump_ascii(len=15):     74 65 73 74 31 40 6e 6f 6b 69 61 2e 63 6f 6d      test1 at testpassword - hexdump_ascii(len=15):     74 65 73 74 31 40 6e 6f 6b 69 61 2e 63 6f 6d      test1 at testphase2 - hexdump_ascii(len=8):     61 75 74 68 3d 4d 44 35                           auth=MD5Priority group 0   id=0 ssid=''(snip)
MPPE keys OK: 1  mismatch: 0SUCCESS
 

    On Friday, 26 February 2016, 0:38, Noel Kuntze <noel at familie-kuntze.de> wrote:
 

 Hello Yukou,

> Client(StrongSwan5.3.5) --- authenticator --- TTLS Server/Radius Server(Freeradius2.1.12)
>> Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=AAA, O=OOO, CN=TEST'
What does your config look like? Obviously, the RADIUS server only authenticates itself, not the authenticator.

>I installed certification of the server:
>ipsec.d/certs/
Where is that exactly? Are you aware that the location of ipsec.d changes, depending on the compile time
sysconfdir and prefix settings?

> When I checked by "ipsec listall", no item about "List of X.509 End Entity Certificates" is listed up.
Make sure you understand where charon things ipsec.d is actually.



On 25.02.2016 08:51, yukou katori wrote:
> Hi,
>
> I'm setting up EAP-TTLS-Radius client on StrongSwan5.3.5.
>
> Client(StrongSwan5.3.5) --- authenticator --- TTLS Server/Radius Server(Freeradius2.1.12)
>
> I got the following error when the Client tries to connect.
> > Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=AAA, O=OOO, CN=TEST'
>
> I installed certification of the server:
> ipsec.d/certs/
>
> /usr/local/etc/ipsec.d# ls certs/
> server.pem
>
> When I checked by "ipsec listall", no item about "List of X.509 End Entity Certificates" is listed up.
>
> Is it wrong about the way to store certificate?
> Or another reason? (e.g. plugin is not enough)
>
> Regards,
>
> Log:
> Feb 25 14:41:13 tester charon: 05[TLS] negotiated TLS 1.0 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> Feb 25 14:41:13 tester charon: 05[TLS] processing TLS Handshake record (708 bytes)
> Feb 25 14:41:13 tester charon: 05[TLS] received TLS Certificate handshake (704 bytes)
> Feb 25 14:41:13 tester charon: 05[LIB] signature verification:
> Feb 25 14:41:13 tester charon: 05[TLS] server certificate does not match to 'C=ES, O=ACCV, CN=ACCVRAIZ1'
> Feb 25 14:41:13 tester charon: 05[TLS] buffering 254 bytes, 254 bytes of 530 byte TLS record received
> Feb 25 14:41:13 tester charon: 05[TLS] sending fatal TLS alert 'access denied'


-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658



  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160228/9c97bc33/attachment-0001.html>

More information about the Users mailing list