[RADIATOR] Can't get chain certificates to work

Stephen A. Felicetti stephen.felicetti at fccc.edu
Thu Nov 4 07:30:42 CDT 2010 

Hello, 

I'm currently running Radiator 4.7 on SUSE linux with OpenSSL 0.9.8h.
I've had this running for years without any problems (albeit different versions). 
Now that I have to begin using Chain Certificates with my CA, I'm stuck.
I know for a fact that the my private key and server certificate share the same modulus and exponent. The private key also works fine.
I was also given all the correct CA and Chain certificates from Thawte, so I'm confident I'm OK there.
The certificates work fine when installed on a Cisco ACS server.
I also tried another set of certificates from Entrust, and received the same exact errors.
The only way I can get this configuration to work with the new certificates is to use configuration #1, and not have the wireless client validate the server cert. Obviously, not a solution.

Any help or suggestions are greatly appreciated. 

Configuration #1:

 EAPType TTLS
 EAPTLS_CertificateType PEM
 EAPTLS_CAFile %D/certificates/cert/thawte.Premium.Root.CA.pem
 #EAPTLS_CertificateChainFile %D/certificates/cert/thawte.SSL123bundle.pem   [disabled]
  EAPTLS_CertificateFile %D/certificates/cert/wirelesscert.pem
  EAPTLS_PrivateKeyFile %D/certificates/cert/thawtekey.pem
  EAPTLS_PrivateKeyPassword xxxx

I get this error, which I would expect to receive without a chain cert in the configuration and the client wanting to validate the server cert.

Tue Nov  2 12:02:35 2010: DEBUG: EAP TTLS SSL_accept result: 0, 1, 8576
Tue Nov  2 12:02:35 2010: DEBUG: EAP result: 1, EAP TTLS Handshake unsuccessful:  23668: 1 - error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Tue Nov  2 12:02:35 2010: DEBUG: AuthBy FILE result: REJECT, EAP TTLS Handshake unsuccessful:  23668: 1 - error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Tue Nov  2 12:02:35 2010: INFO: Access rejected for tsd7notebook: EAP TTLS Handshake unsuccessful:  23668: 1 - error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca



Configuration #2:

EAPType TTLS
EAPTLS_CertificateType PEM
EAPTLS_CAFile %D/certificates/cert/thawte.Premium.Root.CA.pem
EAPTLS_CertificateChainFile %D/certificates/cert/thawte.SSL123bundle.pem  [enabled]
EAPTLS_CertificateFile %D/certificates/cert/wirelesscert.pem
EAPTLS_PrivateKeyFile %D/certificates/cert/thawtekey.pem
EAPTLS_PrivateKeyPassword xxxx

I get this error:

Tue Nov  2 12:03:58 2010: ERR: TLS could not use_PrivateKey_file %D/certificates/cert/thawtekey.pem, 1:  23681: 1 - error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch


Thanks,
Steve

Stephen A Felicetti
Fox Chase Cancer Center
Director, Information Security
stephen.felicetti at fccc.edu
215-728-2956



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101104/f4518c1c/attachment.html

More information about the radiator mailing list