[RADIATOR] certificate problems

Eric W. Bates ericx at whoi.edu
Wed Jun 3 13:29:07 UTC 2020

Thanks. I really like the Wireshark idea.

On 6/3/20 9:11 AM, Heikki Vatiainen wrote:
> On 3.6.2020 15.44, Eric W. Bates wrote:
>> We use certificates signed by InCommon and over the weekend several 
>> older intermediate certificates expired; so I updated the chain file.
>> Now I'm getting:
>> Tue Jun  2 22:21:17 2020 630517: DEBUG: EAP result: 1, EAP TTLS 
>> Handshake unsuccessful:  2861: 1 - error:14094418:SSL 
>> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>> so from "unknown ca" I have to assume I screwed up the chain.
> It also could be that client profile does not trust the new root CA or 
> it's not present in client's CA certificate storage.
>> Is there a way similar to "openssl s_client" to pull the certificate 
>> chain from Radiator? I just want to confirm what cert chain is being 
>> offered.
> Wireshark could also work here. If you capture RADIUS with TLS backed 
> EAP, such as PEAP, wireshark can reconstruct TLS handshake from the 
> capture.
> Edit: just noticed that you're looking at rad_eap_test. Please let us 
> know how it goes.
> Thanks,
> Heikki

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4188 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20200603/dbfd59d5/attachment-0001.p7s>

More information about the radiator mailing list