[RADIATOR] Unknown SSL errors

Fri Sep 2 04:11:32 CDT 2011

On 09/02/2011 12:09 AM, Michael Hulko wrote:
> We are currently running 2 Radiator servers ver4.5.1.

> We have recently upgraded our certs to Thawte 2048 bit. 

> I have noticed an increase in the number of the these messages:

> EAP TLS error: -1, 1, 8576,  9408: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Likely a corrupted packet. This comes from the SSL libraries Radiator
uses. The library is telling it did not like SSL version when it did not
find TLS1.0 or later but some corrupted values instead.

> ERR: EAP PEAP TLS Handshake unsuccessful:  9408: 1 - error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version

Alert comes from the client. The client probably received a corrupted
packet.

> ERR: EAP PEAP TLS read failed: 3888: 1 - error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record

Likely caused by a corrupted packet too. The corrupton was detected by
TLS layer.

> I am unsure of what these are indicative of.  Are these client machine errors or server process errors

These look like corrupted messages. Maybe caused by a weak wireless
reception where the client is just barely able to transmit and receive.

Since you mentioned you had upgraded to a new cert, did the certificate
size grow? This would mean there's more to transfer correctly during the
authentication.

You could also try this:

EAPTLS_MaxFragmentSize 1000

This may help with devices that are unable to handle large messages. See
the reference manual for more.

Thanks!
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.