Error In Sslv3 Read Client Certificate A
Contents |
B) Next message: EAP-TLS Authentication fails( TLS_accept: error in SSLv3 read client certificate B) Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] On 11/27/2013 10:15 AM, Esma Yalcinkaya wrote: > My application runs on glassfish server, so I
Openssl: I/o Error, 5 Bytes Expected To Read On
import the cert files to > keystore. Also tried to import cert files to cacerts > tls alert read:fatal:unknown ca directory(/java/jdk1.6.0_34/jre/lib/security/cacerts) but it did not work. > > I import the server.crt too, and try to authenticate now, but nothing > has changed. re-negotiation handshake failed: not accepted by client!? > > I am continuing to debug the logs(server logs, freeradius logs etc). > > Let me ask a question, I am new at freeradius. Although this error > occurs for SSLv3 read client certificate B, there is no error occurance > for certificate A like below. > > [tls] TLS_accept: SSLv3 write certificate request A > [tls] TLS_accept: SSLv3 flush data > [tls] TLS_accept: Need to read more data: SSLv3 read client > certificate A > > I did not unterstand this log, what does it mean "need to read more data"? It means exactly what Alan said below. Its waiting for the peer to send a client certificate. TLS works by performing a number of exchanges in what is called "handshaking". The handshake exchanges negotiate the type of TLS connection which is going to be established. Certificate exchange is part of the handshake process. A server certificate is always sent to the client so the client can validate the server. This is known as server only validation, the server does not care who the client is. But TLS is also capable of mutual authentication where the client must authenticate to the server as well so the server knows who the client is. This is the basis of eap-tls, it's using the client TLS validation as an authentication of the client. During the TLS handshake the server will send a request to the client saying "please send me your certificate". That's what is happening here, the server has made a request for a client cert and now it's waiting to read that response from the client. If that response does not arrive then this is not a FreeRADIUS issue, it's a problem with your eap-tls client. > > TLS_accept: error in SSLv3 read client certificate B > > rlm_eap: SSL error error:140890C7:SSL > > routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate > > The end user system isn't sending over a client certificate. -- John Previous message: EAP-TLS Authentication fails( TLS_accept: error in SSLv3 read client certificate B) Next message: EAP-TLS Authentication fails( TLS_accept: error in SSLv3 read client certificat
Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Server Fault Questions Tags Users Badges Unanswered Ask Question _ Server Fault is a question and answer site for system and network administrators. Join them; it only takes a minute: Sign up Here's how it http://lists.freeradius.org/pipermail/freeradius-users/2013-November/069315.html works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top SSL user authentication not working in Apache up vote 4 down vote favorite I'm facing a problem with authenticating clients through their ssl certificates which seems similar to a lot of problems I found throughout the net - unfortunately to http://serverfault.com/questions/387921/ssl-user-authentication-not-working-in-apache no solution. Setup is: apache 2.2, mod_ssl, openssl on Debian linux. I have a client using a Globalsign PersonalSign certificate to authenticate. I have setup SSLCACertificatePath I think correctly since apache debug tells me: [Thu May 10 15:31:35 2012] [debug] ssl_engine_init.c(1196): CA certificate: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA [Thu May 10 15:31:35 2012] [debug] ssl_engine_init.c(1196): CA certificate: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign PersonalSign 1 CA - G2 [Thu May 10 15:31:35 2012] [debug] ssl_engine_init.c(1196): CA certificate: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign PersonalSign 1 CA - G2 [Thu May 10 15:31:35 2012] [debug] ssl_engine_init.c(1196): CA certificate: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA I don't know why both certificates are twice in this list. Hashes are symlinked correctly via c_rehash utility. Now the client authenticates (I copy the what I think are relevant entries from the debug log): Certificate Verification: depth: 1, subject: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign PersonalSign 1 CA - G2, issuer: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA Certificate Verification: Error (20): unable to get local issuer certificate OpenSSL: Write: SSLv3 read client certificate B OpenSSL: Exit: error in SSLv3 read client certificate B Re-negotiation handshake failed: Not accepted by
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about http://stackoverflow.com/questions/31303077/error-in-sslv2-sslv3-read-client-hello Stack Overflow the company Business Learn more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up Error in SSLv2/SSLv3 read client hello up vote 4 down vote favorite Some error in Background: I am trying to setup reverse proxy for my internal business users for site validation when the external route is down. I am able to setup multiple routes with corresponding virtualhosts entries in httpd.conf for port 80 : anonymous user. Am afraid am stuck at SSL route and unable to make progress. I have been to multiple forums but unable to find a response which assists me in moving error in sslv3 further. Server Details: Apache version: Apache/2.2.29 (Unix) Linux Version: $ cat /etc/*-release Enterprise Linux Enterprise Linux Server release 5.8 (Carthage) Oracle Linux Server release 5.8 Red Hat Enterprise Linux Server release 5.8 (Tikanga) Problem: When I try to access over SSL (*:443) I get empty response on all 3 browsers (IE/Chrome/Firefox). Note: I generated self signed certificate following instructions at How to Create and Install an Apache Self Signed Certificate. Troubleshooting Error Log [Wed Jul 08 23:16:06 2015] [notice] Digest: generating secret for digest authentication ... [Wed Jul 08 23:16:06 2015] [notice] Digest: done [Wed Jul 08 23:16:06 2015] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0x21b6ff0 rmm=0x21b7048 for VHOST: stgwww.cos.agilent.com [Wed Jul 08 23:16:06 2015] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0x21b6ff0 rmm=0x21b7048 for VHOST: stgwww.cos.agilent.com [Wed Jul 08 23:16:06 2015] [info] APR LDAP: Built with OpenLDAP LDAP SDK [Wed Jul 08 23:16:06 2015] [info] LDAP: SSL support available [Wed Jul 08 23:16:06 2015] [info] mod_unique_id: using ip addr 127.0.0.1 [Wed Jul 08 23:16:07 2015] [info] Init: Seeding PRNG with 144 bytes of entropy [Wed Jul 08 23:16:07 2015] [info] Loading certificate & private key of SSL-aware server [Wed Jul 08 23:16:07 2015] [debug] ssl_engine_pphrase.c(470): unencrypted RSA private key - pass phrase not required [Wed