[RADIATOR] Unknown SSL errors

Michael Hulko mihulko at uwo.ca
Fri Sep 2 08:36:46 CDT 2011


Thanks for the response and clarity.  The upgraded cert itself did not increase in size, but the key increased. We are using " EAPTLS_MaxFragmentSize 1000" in our configurations.  The indications that corruption is taking place somewhere along the path will need to be further investigated.

Although it appears that these errors are more indicative of client communication errors and not necessarily server or certificate issues, would it best to move to the latest version of Radiator??  I am sure this is already documentented somewhere, but I will ask in an effort to expediate an assumption, is Radiator multi-threaded or can support multi-threading?

Respectfully

Michael Hulko



-----Original Message-----
From: Heikki Vatiainen [mailto:hvn at open.com.au] 
Sent: Friday, September 02, 2011 5:12 AM
To: Michael Hulko
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] Unknown SSL errors

On 09/02/2011 12:09 AM, Michael Hulko wrote:
> We are currently running 2 Radiator servers ver4.5.1.

> We have recently upgraded our certs to Thawte 2048 bit. 

> I have noticed an increase in the number of the these messages:

> EAP TLS error: -1, 1, 8576,  9408: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Likely a corrupted packet. This comes from the SSL libraries Radiator
uses. The library is telling it did not like SSL version when it did not
find TLS1.0 or later but some corrupted values instead.

> ERR: EAP PEAP TLS Handshake unsuccessful:  9408: 1 - error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version

Alert comes from the client. The client probably received a corrupted
packet.

> ERR: EAP PEAP TLS read failed: 3888: 1 - error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record

Likely caused by a corrupted packet too. The corrupton was detected by
TLS layer.

> I am unsure of what these are indicative of.  Are these client machine errors or server process errors

These look like corrupted messages. Maybe caused by a weak wireless
reception where the client is just barely able to transmit and receive.

Since you mentioned you had upgraded to a new cert, did the certificate
size grow? This would mean there's more to transfer correctly during the
authentication.

You could also try this:

EAPTLS_MaxFragmentSize 1000

This may help with devices that are unable to handle large messages. See
the reference manual for more.

Thanks!
Heikki


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.



More information about the radiator mailing list