Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

TLS_accept:error in SSLv3 read client certificate A

This thread has been viewed 43 times

  • 1.  TLS_accept:error in SSLv3 read client certificate A

    Posted Dec 18, 2012 06:31 AM

    hello,

    im getting the following message in the log details, although everything is working perfect.

    im actually maching the certificate to the user and machine with crl and all seems fine.

    any ideas on this?

    the error is TLS_accept:error in SSLv3 read client certificate A



  • 2.  RE: TLS_accept:error in SSLv3 read client certificate A

    Posted Dec 18, 2012 03:14 PM

    What's the surrounding context?  This is probably a non-issue.



  • 3.  RE: TLS_accept:error in SSLv3 read client certificate A

    Posted Dec 20, 2012 02:06 PM

    not trying to hijack, but i see this often also, here is some content, android phone succesfully authenticating with PEAP MSCHAPv2.

     

    2012-12-19 08:40:30,206[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -     TLS_accept: before/accept initialization
    2012-12-19 08:40:30,206[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   rlm_eap_tls: <<< TLS 1.0 Handshake length 00b9], ClientHello 
    2012-12-19 08:40:30,206[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -     TLS_accept: SSLv3 read client hello A
    2012-12-19 08:40:30,206[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   rlm_eap_tls: >>> TLS 1.0 Handshake length 0035], ServerHello 
    2012-12-19 08:40:30,206[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -     TLS_accept: SSLv3 write server hello A
    2012-12-19 08:40:30,206[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   rlm_eap_tls: >>> TLS 1.0 Handshake length 0ca7], Certificate 
    2012-12-19 08:40:30,206[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -     TLS_accept: SSLv3 write certificate A
    2012-12-19 08:40:30,218[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   rlm_eap_tls: >>> TLS 1.0 Handshake length 018d], ServerKeyExchange 
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -     TLS_accept: SSLv3 write key exchange A
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   rlm_eap_tls: >>> TLS 1.0 Handshake length 0004], ServerHelloDone 
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -     TLS_accept: SSLv3 write server done A
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -     TLS_accept: SSLv3 flush data
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] INFO  RadiusServer.Radius -     TLS_accept:error in SSLv3 read client certificate A
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - In SSL Handshake Phase
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - In SSL Accept mode 
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   eaptls_process returned 13
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   rlm_eap_peap: EAPTLS_HANDLED
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   rlm_eap: eap_compose returned 3
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - rlm_eap: eap_list_add EAP-State = 0x005a004e005b001fb7240000683d7ac2c0dc505a
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius -   modcallauthenticate]: module "svc_3001_eap" returns handled for request 9399
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - modcall: leaving group svc_3001_eap (returns handled) for request 9399
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - The request contains following state_items
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - Service-State = 0x009e002800bc00acb72400005dedeac7a2d26bb25fb45fff9c0bcce6
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - EAP-State = 0x005a004e005b001fb7240000683d7ac2c0dc505a
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - The request contains following session_id
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - Session-Id = "R000003aa-01-50d16f6e"
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - The request contains following session messages
    2012-12-19 08:40:30,219[Th 2 Req 9399 SessId R000003aa-01-50d16f6e] DEBUG RadiusServer.Radius - The request error code 0


  • 4.  RE: TLS_accept:error in SSLv3 read client certificate A
    Best Answer

    Posted Dec 20, 2012 02:19 PM

    With EAP-PEAP w/MSCHAPv2 we dont see a client certificate so this error is harmless.



  • 5.  RE: TLS_accept:error in SSLv3 read client certificate A

    MVP
    Posted Oct 02, 2013 09:42 AM

    And what if we get this error whilme trying to do EAP-TLS?

    Currently no IOS7 clients are able to connect because of this. IOS6 or any other device pose no issues.

     

    2013-10-02 14:48:54,452[Th 7 Req 260 SessId R00000018-01-524c1636] ERROR RadiusServer.Radius - TLS Alert read:warning:close notify
    2013-10-02 14:48:54,452[Th 7 Req 260 SessId R00000018-01-524c1636] ERROR RadiusServer.Radius - TLS_accept:failed in SSLv3 read client certificate A
    2013-10-02 14:48:54,452[Th 7 Req 260 SessId R00000018-01-524c1636] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure


  • 6.  RE: TLS_accept:error in SSLv3 read client certificate A

    EMPLOYEE
    Posted Oct 02, 2013 06:34 PM
    I have seen an issue where the IOS7 device are very strict on the certs the accept where IOS6 would have no issue, so double check the root, intermediate, and server cert.


  • 7.  RE: TLS_accept:error in SSLv3 read client certificate A

    MVP
    Posted Oct 03, 2013 07:54 AM

    I'll gladly verify more, but what exactly should I verify? 

    Where might a certificate be insufficiant to do EAP-TLS? I'm using CPPm as the root CA.



  • 8.  RE: TLS_accept:error in SSLv3 read client certificate A

    MVP
    Posted Oct 08, 2013 12:07 PM

    My issue turned out to be a trust issue.

     

    Guest > onboard+workspace > Onboard/MDM Configuration > Network Settings > *your profile* > Trust tab

    I had selected to automatically configure trust settings.

    Even though the cppm ssl certificate included the entire chain this wasn't working properly.

     

    The fix was to change this to manualy configure the trust settings. Cut up the server cert into its CA and intermediate CA's and upload those individualy and then add them as trusted certificates.

     

    Thank you TAC for solving this.

     



  • 9.  RE: TLS_accept:error in SSLv3 read client certificate A

    EMPLOYEE
    Posted Oct 08, 2013 09:49 PM
    Thank you for the follow up. :)