• freeradius 错误: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate


    在进行802.1x 测试时遇到如下问题:

    Waking up in 4.6 seconds.
    (156) Received Access-Request Id 82 from 192.168.1.126:44896 to 192.168.1.122:1812 length 524
    (156)   User-Name = "dddddd"
    (156)   Called-Station-Id = "70-CC-CC-E3-00-91:myssid"
    (156)   NAS-Port-Type = Wireless-802.11
    (156)   NAS-Port = 1
    (156)   Calling-Station-Id = "70-CC-CC-E1-22-35"
    (156)   Connect-Info = "CONNECT 54Mbps 802.11g"
    (156)   Acct-Session-Id = "59BD3E8C-000000DB"
    (156)   Framed-MTU = 1400
    (156)   EAP-Message = 0x025101580d0016030100070b00000300000016030101061000010201005334a243b0db1f6b723285cb5c7e721c0c14fde8164460fdf99b40e26ef1e98c4388577b61732cf224c668bd961722be74963d055c18293b95d9ed937e331d4ad0f0afaba131a9a3d1c8d1b44d201a9a26ff9ddf6b26deb7ee58
    (156)   State = 0xf8598809fd08850a5fc36ea7518e8167
    (156)   Message-Authenticator = 0x33eb613f3409a98c69ee6ab0e649785b
    (156) session-state: No cached attributes
    (156) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
    (156)   authorize {
    (156)     policy filter_username {
    (156)       if (&User-Name) {
    (156)       if (&User-Name)  -> TRUE
    (156)       if (&User-Name)  {
    (156)         if (&User-Name =~ / /) {
    (156)         if (&User-Name =~ / /)  -> FALSE
    (156)         if (&User-Name =~ /@[^@]*@/ ) {
    (156)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
    (156)         if (&User-Name =~ /../ ) {
    (156)         if (&User-Name =~ /../ )  -> FALSE
    (156)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/))  {
    (156)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/))   -> FALSE
    (156)         if (&User-Name =~ /.$/)  {
    (156)         if (&User-Name =~ /.$/)   -> FALSE
    (156)         if (&User-Name =~ /@./)  {
    (156)         if (&User-Name =~ /@./)   -> FALSE
    (156)       } # if (&User-Name)  = notfound
    (156)     } # policy filter_username = notfound
    (156)     [preprocess] = ok
    (156)     [chap] = noop
    (156)     [mschap] = noop
    (156)     [digest] = noop
    (156) suffix: Checking for suffix after "@"
    (156) suffix: No '@' in User-Name = "dddddd", looking up realm NULL
    (156) suffix: No such realm "NULL"
    (156)     [suffix] = noop
    (156) eap: Peer sent EAP Response (code 2) ID 81 length 344
    (156) eap: No EAP Start, assuming it's an on-going EAP conversation
    (156)     [eap] = updated
    (156) files: users: Matched entry huwomo at line 221
    (156)     [files] = ok
    (156)     [expiration] = noop
    (156)     [logintime] = noop
    (156) pap: WARNING: Auth-Type already set.  Not setting to PAP
    (156)     [pap] = noop
    (156)   } # authorize = updated
    (156) Found Auth-Type = eap
    (156) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    (156)   authenticate {
    (156) eap: Expiring EAP session with state 0xf8598809fd08850a
    (156) eap: Finished EAP session with state 0xf8598809fd08850a
    (156) eap: Previous EAP request found for state 0xf8598809fd08850a, released from the list
    (156) eap: Peer sent packet with method EAP TLS (13)
    (156) eap: Calling submodule eap_tls to process data
    (156) eap_tls: Continuing EAP-TLS
    (156) eap_tls: [eaptls verify] = ok
    (156) eap_tls: Done initial handshake
    (156) eap_tls: <<< recv TLS 1.0 Handshake [length 0007], Certificate
    (156) eap_tls: >>> send TLS 1.0 Alert [length 0002], fatal handshake_failure
    (156) eap_tls: ERROR: TLS Alert write:fatal:handshake failure
    tls: TLS_accept: Error in error
    (156) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate
    (156) eap_tls: ERROR: System call (I/O) error (-1)
    (156) eap_tls: ERROR: TLS receive handshake failed during operation
    (156) eap_tls: ERROR: [eaptls process] = fail
    (156) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed
    (156) eap: Sending EAP Failure (code 4) ID 81 length 4
    (156) eap: Failed in EAP select
    (156)     [eap] = invalid
    (156)   } # authenticate = invalid
    (156) Failed to authenticate the user
    (156) Using Post-Auth-Type Reject
    (156) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
    (156)   Post-Auth-Type REJECT {
    (156) attr_filter.access_reject: EXPAND %{User-Name}
    (156) attr_filter.access_reject:    --> huwomo
    (156) attr_filter.access_reject: Matched entry DEFAULT at line 11
    (156)     [attr_filter.access_reject] = updated
    (156)     [eap] = noop
    (156)     policy remove_reply_message_if_eap {
    (156)       if (&reply:EAP-Message && &reply:Reply-Message) {
    (156)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
    (156)       else {
    (156)         [noop] = noop
    (156)       } # else = noop
    (156)     } # policy remove_reply_message_if_eap = noop
    (156)   } # Post-Auth-Type REJECT = updated
    (156) Login incorrect (eap_tls: TLS Alert write:fatal:handshake failure): [huwomo] (from client hwm port 1 cli 78-C2-C0-E1-22-35)
    (156) Delaying response for 1.000000 seconds

    EAP-TLS  测试过程中, freeradius 服务器端报错如上,没有得到client端正确的证书。

    而 client端 报出的错误是  密钥解析错误,跟踪 wpa_supplicant 代码,得到如下内容:

    Thu Sep 21 17:35:18 2017 user.debug syslog: eap_peer_sm_step_received 697
    Thu Sep 21 17:35:18 2017 user.debug syslog: EAP: Status notification: started (param=)
    Thu Sep 21 17:35:19 2017 user.debug syslog: EAP: Status notification: refuse proposed method (param=PEAP)
    Thu Sep 21 17:35:19 2017 user.debug syslog: EAP: Status notification: accept proposed method (param=TLS)
    Thu Sep 21 17:35:19 2017 user.debug syslog: sm_EAP_GET_METHOD_Enter 290, selectedMethod : 0, reqMethod : 13
    Thu Sep 21 17:35:19 2017 user.debug syslog: EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
    Thu Sep 21 17:35:19 2017 user.debug syslog: asn1_parse_oid 95 
    Thu Sep 21 17:35:19 2017 user.debug syslog: crypto_private_key_import 50
    Thu Sep 21 17:35:19 2017 user.debug syslog: pkcs8_enc_key_import 156 class : 0, tag : d
    Thu Sep 21 17:35:19 2017 user.debug syslog: Trying to parse PKCS #1 encoded RSA private key
    Thu Sep 21 17:35:19 2017 user.debug syslog: crypto_rsa_import_private_key 199 class : 0, tag : d
    Thu Sep 21 17:35:19 2017 user.debug syslog: crypto_private_key_import 44
    Thu Sep 21 17:35:19 2017 user.debug syslog: pkcs8_key_import 27
    Thu Sep 21 17:35:19 2017 user.debug syslog: pkcs8_key_import 45 class : 0, tag : 10
    Thu Sep 21 17:35:19 2017 user.debug syslog: crypto_private_key_import 50
    Thu Sep 21 17:35:19 2017 user.debug syslog: pkcs5_decrypt 187
    Thu Sep 21 17:35:19 2017 user.debug syslog: pkcs5_get_params 54
    Thu Sep 21 17:35:19 2017 user.debug syslog: asn1_parse_oid 95
    Thu Sep 21 17:35:19 2017 user.debug syslog: PKCS #5: encryption algorithm 1.2.840.113549.1.5.13
    Thu Sep 21 17:35:19 2017 user.debug syslog: PKCS #5: unsupported encryption algorithm 1.2.840.113549.1.5.13
    Thu Sep 21 17:35:19 2017 user.debug syslog: Trying to parse PKCS #1 encoded RSA private key
    Thu Sep 21 17:35:19 2017 user.debug syslog: crypto_rsa_parse_integer 41
    Thu Sep 21 17:35:19 2017 user.debug syslog: crypto_rsa_import_private_key 213
    Thu Sep 21 17:35:19 2017 user.debug syslog: TLSv1: Failed to parse private key
    Thu Sep 21 17:35:19 2017 user.debug syslog: eap_tls_init_connection 194 res : -1
    Thu Sep 21 17:35:19 2017 user.debug syslog: EAP-TLS: Start
    Thu Sep 21 17:35:19 2017 user.debug syslog: SSL: Building ACK (type=13 id=217 ver=0)
    Thu Sep 21 17:35:19 2017 user.debug syslog: SSL: Building ACK (type=13 id=218 ver=0)
    Thu Sep 21 17:35:19 2017 user.debug syslog: SSL: Building ACK (type=13 id=219 ver=0)
    Thu Sep 21 17:35:24 2017 user.debug syslog: EAP: Status notification: completion (param=failure)

    在 tlsv1_set_key 中使用 PKCS#1 /  PKCS#5  / PKCS#8 方式解析密钥文件,均解析错误。

    static int tlsv1_set_key(struct tlsv1_credentials *cred,
        const u8 *key, size_t len, const char *passwd)
    {
     syslog(LOG_DEBUG, "%s %d", __func__, __LINE__);
     cred->key = crypto_private_key_import(key, len, passwd);
     if (cred->key == NULL)
      cred->key = tlsv1_set_key_pem(key, len);

     if (cred->key == NULL)
      cred->key = tlsv1_set_key_enc_pem(key, len, passwd);
     
     if (cred->key == NULL) {
      syslog(LOG_DEBUG, "TLSv1: Failed to parse private key");
      wpa_printf(MSG_INFO, "TLSv1: Failed to parse private key");
      return -1;
     }
     return 0;
    }

    其中 使用PKCS#5 解析时,报错如下:

    Thu Sep 21 17:35:19 2017 user.debug syslog: PKCS #5: encryption algorithm 1.2.840.113549.1.5.13
    Thu Sep 21 17:35:19 2017 user.debug syslog: PKCS #5: unsupported encryption algorithm 1.2.840.113549.1.5.13

    查找代码,在函数 pkcs5_get_params 中,解析params->alg = pkcs5_get_alg(&oid); 时,值应该为

    static enum pkcs5_alg pkcs5_get_alg(struct asn1_oid *oid)
    {
     if (oid->len == 7 &&
         oid->oid[0] == 1 /* iso */ &&
         oid->oid[1] == 2 /* member-body */ &&
         oid->oid[2] == 840 /* us */ &&
         oid->oid[3] == 113549 /* rsadsi */ &&
         oid->oid[4] == 1 /* pkcs */ &&
         oid->oid[5] == 5 /* pkcs-5 */ &&
         oid->oid[6] == 3 /* pbeWithMD5AndDES-CBC */)    
      return PKCS5_ALG_MD5_DES_CBC;

     return PKCS5_ALG_UNKNOWN;
    }

    错在最后一位不相符。

    通过查看  OID 节点 网页 http://oidref.com/   上相关内容得知:

     1.2.840.113549.1.5.13    pkcs5 pebs2

    1.2.840.113549.1.5.3        pbeWithMD5AndDES-CBC

    两者加密的方式不同,  前者为 pebs2,  后者为 md5 des-cbc.

    查看wpa-supplicant 修改日志, 得知  2016-10-2,V2.6  的修改日志中记录

    	* TLS client
    	  - do not verify CA certificates when ca_cert is not specified
    	  - support validating server certificate hash
    	  - support SHA384 and SHA512 hashes
    	  - add signature_algorithms extension into ClientHello
    	  - support TLS v1.2 signature algorithm with SHA384 and SHA512
    	  - support server certificate probing
    	  - allow specific TLS versions to be disabled with phase2 parameter
    	  - support extKeyUsage
    	  - support PKCS #5 v2.0 PBES2
    	  - support PKCS #5 with PKCS #12 style key decryption
    	  - minimal support for PKCS #12
    	  - support OCSP stapling (including ocsp_multi)

     了加入了对PEBS2的解析。

    因此将代码升级到相应版本,问题解决。

    此处留有疑问的是: 由于使用git使用的较少, 也懒的移植最新的wpa-supplicant的代码到openwrt  bb版本,从trunk版本上更新了hostapd代码为 2016-01-15  的版本也支持,不知道git跟 官网是怎样对应的。

  • 相关阅读:
    K最近邻kNN-学习笔记
    随机森林学习-sklearn
    matplotlib画堆叠条形图
    PCA和SVD最佳理解
    1,机器学习应用概述
    linux unzip 中文乱码解决方法
    python文件、文件夹操作OS模块
    利用pyecharts做地图数据展示
    描述机器学习之神经网络算法原理
    python-pandas 高级功能(通过学习kaggle案例总结)
  • 原文地址:https://www.cnblogs.com/rohens-hbg/p/7603034.html
Copyright © 2020-2023  润新知