(RADIATOR) TLS could not use_PrivateKey_file
Mike McCauley
mikem at open.com.au
Fri Jun 27 19:09:56 CDT 2003
Hello Francisco,
It looks like your private key file is not in PEM format or is corrupted.
Cheers.
On Sat, 28 Jun 2003 01:55 am, Francisco Contreiras wrote:
> I generated the certificates with mkcertificates.sh and everything went OK.
> But now when I make a PEAP request I get this error, TLS could not
> use_PrivateKey_file.
>
> Another question is: The challenge password that is asked in the
> MKCERTIFICATE should be the same as the one configured in eap_peap.cfg in
> EAPTLS_PrivateKeyPassword ?
>
> ############ Log File ##################################
> [root at cuco Radiator-Demo-3.6]# perl radiusd -foreground -log_stdout -trace
> 4 -config_file /etc/radius/radius.cfg Fri Jun 27 17:30:08 2003: DEBUG:
> Reading users file /etc/radius/users Fri Jun 27 17:30:08 2003: DEBUG:
> Reading users file /etc/radius/users Fri Jun 27 17:30:08 2003: DEBUG:
> Reading users file /etc/radius/users Fri Jun 27 17:30:08 2003: DEBUG:
> Finished reading configuration file '/etc/radius/radius.cfg' This Radiator
> license will expire on 2003-10-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your evaluation period, contact admin at open.com.au
> Fri Jun 27 17:30:08 2003: DEBUG: Reading dictionary file
> '/etc/radius/dictionary' Fri Jun 27 17:30:09 2003: DEBUG: Reading
> dictionary file '/etc/radius/dictionary.ascend' Fri Jun 27 17:30:10 2003:
> DEBUG: Creating authentication port 0.0.0.0:1812 Fri Jun 27 17:30:10 2003:
> DEBUG: Creating accounting port 0.0.0.0:1813 Fri Jun 27 17:30:10 2003:
> NOTICE: Server started: Radiator 3.6 on cuco.lx.it.pt (EVALUATION) Fri Jun
> 27 17:31:29 2003: DEBUG: Packet dump:
> *** Received from 192.168.0.253 port 1645 ....
> Code: Access-Request
> Identifier: 56
> Authentic: k<154><6>xR"<254><216><224><255>t'<198><210>QN
> Attributes:
> User-Name = "test1 at pt"
> Framed-MTU = 1400
> Called-Station-Id = "0002.8a21.9173"
> Calling-Station-Id = "000b.fd60.56c9"
> Message-Authenticator =
> <200><162>S<29><151><<210><237><194><181><29>,<161>?<231># EAP-Message =
> <2><2><0><13><1>test1 at pt
> NAS-Port-Type = Virtual
> NAS-Port = 448
> NAS-IP-Address = 192.168.0.253
> NAS-Identifier = "ap"
> Fri Jun 27 17:31:29 2003: DEBUG: Handling request with Handler 'Realm = pt'
> Fri Jun 27 17:31:29 2003: DEBUG: Deleting session for test1 at pt,
> 192.168.0.253, 448 Fri Jun 27 17:31:29 2003: DEBUG: Handling with
> Radius::AuthFILE:
> Fri Jun 27 17:31:29 2003: DEBUG: Handling with EAP: code 2, 2, 13
> Fri Jun 27 17:31:29 2003: DEBUG: Response type 1
> Fri Jun 27 17:31:30 2003: ERR: TLS could not use_PrivateKey_file
> /etc/radius/demoCA/cert-srv.pem, 1: 840: 1 - error:0906D06C:PEM
> routines:PEM_read_bio:no start line 840: 2 - error:06065064:digital
> envelope routines:EVP_DecryptFinal:bad decrypt 840: 3 - error:0906A065:PEM
> routines:PEM_do_header:bad decrypt
> 840: 4 - error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
> Fri Jun 27 17:31:30 2003: INFO: Access rejected for test1 at pt: EAP TLS Could
> not initialise context Fri Jun 27 17:31:30 2003: DEBUG: Packet dump:
> *** Sending to 192.168.0.253 port 1645 ....
> Code: Access-Reject
> Identifier: 56
> Authentic: k<154><6>xR"<254><216><224><255>t'<198><210>QN
> Attributes:
> Reply-Message = "Request Denied"
> Fri Jun 27 17:31:36 2003: DEBUG: Packet dump:
> *** Received from 192.168.0.253 port 1645 ....
> Code: Access-Request
> Identifier: 57
> Authentic:
> <179><168><222><253><247><232><217><252><171><177><184><202><29>(<217><12>
> Attributes:
> User-Name = "test1 at pt"
> Framed-MTU = 1400
> Called-Station-Id = "0002.8a21.9173"
> Calling-Station-Id = "000b.fd60.56c9"
> Message-Authenticator =
> <172><242>@<213><18><149><135><237><174><172><213>4<206><145><234><171>
> EAP-Message = <2><1><0><13><1>test1 at pt
> NAS-Port-Type = Virtual
> NAS-Port = 449
> NAS-IP-Address = 192.168.0.253
> NAS-Identifier = "ap"
> Fri Jun 27 17:31:36 2003: DEBUG: Handling request with Handler 'Realm = pt'
> Fri Jun 27 17:31:36 2003: DEBUG: Deleting session for test1 at pt,
> 192.168.0.253, 449 Fri Jun 27 17:31:36 2003: DEBUG: Handling with
> Radius::AuthFILE:
> Fri Jun 27 17:31:36 2003: DEBUG: Handling with EAP: code 2, 1, 13
> Fri Jun 27 17:31:36 2003: DEBUG: Response type 1
> Fri Jun 27 17:31:36 2003: DEBUG: Access challenged for test1 at pt: EAP PEAP
> Challenge Fri Jun 27 17:31:36 2003: DEBUG: Packet dump:
> *** Sending to 192.168.0.253 port 1645 ....
> Code: Access-Challenge
> Identifier: 57
> Authentic:
> <179><168><222><253><247><232><217><252><171><177><184><202><29>(<217><12>
> Attributes:
> EAP-Message = <1><2><0><6><25>!
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Fri Jun 27 17:31:36 2003:
> DEBUG: Packet dump:
> *** Received from 192.168.0.253 port 1645 ....
> Code: Access-Request
> Identifier: 58
> Authentic: FH<241> <223>Q<185><197><5><29><232><206><226>I$<150>
> Attributes:
> User-Name = "test1 at pt"
> Framed-MTU = 1400
> Called-Station-Id = "0002.8a21.9173"
> Calling-Station-Id = "000b.fd60.56c9"
> Message-Authenticator =
> N^<239><17>m<6>u<243><29>><188><154>S<163>P<148> EAP-Message =
> <2><2><0>P<25><128><0><0><0>F<22><3><1><0>A<1><0><0>=<3><1>><252>cg<166><11
>><201><241><198>gv["<155><136>|<248><155><7><185><27><211>dr<206>@s<225>\(<2
>24>Q<0><0><22><0><4><0><5><0><10><0><9><0>d<0>b<0><3><0><6><0><19><0><18><0>
>c<1><0> NAS-Port-Type = Virtual
> NAS-Port = 449
> NAS-IP-Address = 192.168.0.253
> NAS-Identifier = "ap"
> Fri Jun 27 17:31:36 2003: DEBUG: Handling request with Handler 'Realm = pt'
> Fri Jun 27 17:31:36 2003: DEBUG: Deleting session for test1 at pt,
> 192.168.0.253, 449 Fri Jun 27 17:31:36 2003: DEBUG: Handling with
> Radius::AuthFILE:
> Fri Jun 27 17:31:36 2003: DEBUG: Handling with EAP: code 2, 2, 80
> Fri Jun 27 17:31:36 2003: DEBUG: Response type 25
> Fri Jun 27 17:31:36 2003: DEBUG: EAP TLS SSL_accept result: -1, 1, 8466
> Fri Jun 27 17:31:36 2003: ERR: EAP TLS error: -1, 1, 8466, 840: 1 -
> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher Fri Jun
> 27 17:31:36 2003: INFO: Access rejected for test1 at pt: EAP PEAP TLS error
> Fri Jun 27 17:31:36 2003: DEBUG: Packet dump:
> *** Sending to 192.168.0.253 port 1645 ....
> Code: Access-Reject
> Identifier: 58
> Authentic: FH<241> <223>Q<185><197><5><29><232><206><226>I$<150>
> Attributes:
> EAP-Message = <4><2><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Reply-Message = "Request
> Denied"
> ##########################
>
> ########### CFG FILE ########################
> AuthPort 1812
> AcctPort 1813
> LogDir /var/log/radius
> DbDir /etc/radius
> DictionaryFile %D/dictionary,%D/dictionary.ascend
> PidFile /var/run/radiusd.pid
> Trace 4
>
> <Client 192.168.254>
> Secret xpto
> </Client>
> #Pedidos "internos", vindos de um tu'nel PEAP
> <Handler TunnelledByPEAP=1>
> <AuthBy FILE>
> Filename /etc/radius/users
> EAPType MSCHAP-V2
> </AuthBy>
> </Handler>
> #Pedidos internos enviados por tu'nel TTLS
> <Handler TunnelledByTTLS=1>
> <AuthBy FILE>
> Filename /etc/radius/users
> EAPType PAP
> # TLS requere a config abaixo
> EAPTLS_CAFile /etc/radius/demoCA/cacert.pem
> EAPTLS_CertificateFile /etc/radius/demoCA/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radius/demoCA/cert-srv.pem
> EAPTLS_PrivateKeyPassword xpto
> </AuthBy>
> </Handler>
> <Handler Realm = pt>
> <AuthBy FILE>
> Filename /etc/radius/users
> #Para ja'
> permite PEAP, TTLS # adicionar outras variantes de EAP aqui EAPType
> PEAP, TTLS
> #Caso se
> use TLS: #certificados sao gerados atrave's do script radiator
> #mkcertificate.sh, em goodies/ EAPTLS_CAFile /etc/radius/demoCA/cacert.pem
> EAPTLS_CertificateFile /etc/radius/demoCA/cert-srv.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile /etc/radius/demoCA/cert-srv.pem
> EAPTLS_PrivateKeyPassword xpto
> EAPTLS_MaxFragmentSize 1024
> AutoMPPEKeys
> SSLeayTrace 4
> </AuthBy>
> </Handler>
> ######################
>
> Please help,
>
> Thank you in advance.
>
> Francisco Contreiras
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list