[RADIATOR] certificate problems
Eric W. Bates
ericx at whoi.edu
Wed Jun 3 13:29:07 UTC 2020
Thanks. I really like the Wireshark idea.
On 6/3/20 9:11 AM, Heikki Vatiainen wrote:
> On 3.6.2020 15.44, Eric W. Bates wrote:
>> We use certificates signed by InCommon and over the weekend several
>> older intermediate certificates expired; so I updated the chain file.
>>
>> Now I'm getting:
>>
>> Tue Jun 2 22:21:17 2020 630517: DEBUG: EAP result: 1, EAP TTLS
>> Handshake unsuccessful: 2861: 1 - error:14094418:SSL
>> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>>
>> so from "unknown ca" I have to assume I screwed up the chain.
>
> It also could be that client profile does not trust the new root CA or
> it's not present in client's CA certificate storage.
>
>> Is there a way similar to "openssl s_client" to pull the certificate
>> chain from Radiator? I just want to confirm what cert chain is being
>> offered.
>
> Wireshark could also work here. If you capture RADIUS with TLS backed
> EAP, such as PEAP, wireshark can reconstruct TLS handshake from the
> capture.
>
> Edit: just noticed that you're looking at rad_eap_test. Please let us
> know how it goes.
>
> Thanks,
> Heikki
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4188 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20200603/dbfd59d5/attachment-0001.p7s>
More information about the radiator
mailing list