[RADIATOR] certificate problems
Heikki Vatiainen
hvn at open.com.au
Wed Jun 3 13:11:42 UTC 2020
On 3.6.2020 15.44, Eric W. Bates wrote:
> We use certificates signed by InCommon and over the weekend several
> older intermediate certificates expired; so I updated the chain file.
>
> Now I'm getting:
>
> Tue Jun 2 22:21:17 2020 630517: DEBUG: EAP result: 1, EAP TTLS
> Handshake unsuccessful: 2861: 1 - error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>
> so from "unknown ca" I have to assume I screwed up the chain.
It also could be that client profile does not trust the new root CA or
it's not present in client's CA certificate storage.
> Is there a way similar to "openssl s_client" to pull the certificate
> chain from Radiator? I just want to confirm what cert chain is being
> offered.
Wireshark could also work here. If you capture RADIUS with TLS backed
EAP, such as PEAP, wireshark can reconstruct TLS handshake from the capture.
Edit: just noticed that you're looking at rad_eap_test. Please let us
know how it goes.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator
mailing list