Security

Reply
Frequent Contributor I
Posts: 85
Registered: ‎10-17-2012

TLS_accept:error in SSLv3 read client certificate A

hello,

im getting the following message in the log details, although everything is working perfect.

im actually maching the certificate to the user and machine with crl and all seems fine.

any ideas on this?

the error is TLS_accept:error in SSLv3 read client certificate A

Aruba
Posts: 113
Registered: ‎11-21-2011

Re: TLS_accept:error in SSLv3 read client certificate A

What's the surrounding context?  This is probably a non-issue.

MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: TLS_accept:error in SSLv3 read client certificate A

not trying to hijack, but i see this often also, here is some content, android phone succesfully authenticating with PEAP MSCHAPv2.

 

2012-12-19 08:40:30,206[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -     TLS_accept: before/accept initialization
2012-12-19 08:40:30,206[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   rlm_eap_tls: <<< TLS 1.0 Handshake length 00b9], ClientHello 
2012-12-19 08:40:30,206[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -     TLS_accept: SSLv3 read client hello A
2012-12-19 08:40:30,206[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   rlm_eap_tls: >>> TLS 1.0 Handshake length 0035], ServerHello 
2012-12-19 08:40:30,206[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -     TLS_accept: SSLv3 write server hello A
2012-12-19 08:40:30,206[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   rlm_eap_tls: >>> TLS 1.0 Handshake length 0ca7], Certificate 
2012-12-19 08:40:30,206[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -     TLS_accept: SSLv3 write certificate A
2012-12-19 08:40:30,218[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   rlm_eap_tls: >>> TLS 1.0 Handshake length 018d], ServerKeyExchange 
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -     TLS_accept: SSLv3 write key exchange A
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   rlm_eap_tls: >>> TLS 1.0 Handshake length 0004], ServerHelloDone 
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -     TLS_accept: SSLv3 write server done A
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -     TLS_accept: SSLv3 flush data
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] INFO  RadiusServer.Radius -     TLS_accept:error in SSLv3 read client certificate A
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - In SSL Handshake Phase
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - In SSL Accept mode 
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   eaptls_process returned 13
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   rlm_eap_peap: EAPTLS_HANDLED
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   rlm_eap: eap_compose returned 3
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - rlm_eap: eap_list_add EAP-State = 0x005a004e005b001fb7240000683d7ac2c0dc505a
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   modcallauthenticate]: module "svc_3001_eap" returns handled for request 9399
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - modcall: leaving group svc_3001_eap (returns handled) for request 9399
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - The request contains following state_items
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - Service-State = 0x009e002800bc00acb72400005dedeac7a2d26bb25fb45fff9c0bcce6
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - EAP-State = 0x005a004e005b001fb7240000683d7ac2c0dc505a
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - The request contains following session_id
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - Session-Id = "R000003aa-01-50d16f6e"
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - The request contains following session messages
2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - The request error code 0
Aruba Employee
Posts: 37
Registered: ‎11-04-2011

Re: TLS_accept:error in SSLv3 read client certificate A

With EAP-PEAP w/MSCHAPv2 we dont see a client certificate so this error is harmless.

MVP
Posts: 702
Registered: ‎03-25-2009

Re: TLS_accept:error in SSLv3 read client certificate A

And what if we get this error whilme trying to do EAP-TLS?

Currently no IOS7 clients are able to connect because of this. IOS6 or any other device pose no issues.

 

2013-10-02 14:48:54,452[Th 7 Req 260 SessId R00000018-01-524c1636] ERROR RadiusServer.Radius - TLS Alert read:warning:close notify
2013-10-02 14:48:54,452[Th 7 Req 260 SessId R00000018-01-524c1636] ERROR RadiusServer.Radius - TLS_accept:failed in SSLv3 read client certificate A
2013-10-02 14:48:54,452[Th 7 Req 260 SessId R00000018-01-524c1636] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,520
Registered: ‎06-12-2012

Re: TLS_accept:error in SSLv3 read client certificate A

I have seen an issue where the IOS7 device are very strict on the certs the accept where IOS6 would have no issue, so double check the root, intermediate, and server cert.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 702
Registered: ‎03-25-2009

Re: TLS_accept:error in SSLv3 read client certificate A

[ Edited ]

I'll gladly verify more, but what exactly should I verify? 

Where might a certificate be insufficiant to do EAP-TLS? I'm using CPPm as the root CA.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 702
Registered: ‎03-25-2009

Re: TLS_accept:error in SSLv3 read client certificate A

My issue turned out to be a trust issue.

 

Guest > onboard+workspace > Onboard/MDM Configuration > Network Settings > *your profile* > Trust tab

I had selected to automatically configure trust settings.

Even though the cppm ssl certificate included the entire chain this wasn't working properly.

 

The fix was to change this to manualy configure the trust settings. Cut up the server cert into its CA and intermediate CA's and upload those individualy and then add them as trusted certificates.

 

Thank you TAC for solving this.

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,520
Registered: ‎06-12-2012

Re: TLS_accept:error in SSLv3 read client certificate A

Thank you for the follow up. :)
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: