最近在測試802.1x,測試過程中,radius服務器端一直顯示如下錯誤:
(5) authenticate {
(5) eap: Expiring EAP session with state 0x3990473e3d795e62
(5) eap: Finished EAP session with state 0x3990473e3d795e62
(5) eap: Previous EAP request found for state 0x3990473e3d795e62, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(5) eap_peap: Got complete TLS record (7 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal certificate_expired
(5) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
(5) eap_peap: ERROR: TLS_accept: Failed in unknown state
(5) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
(5) eap_peap: ERROR: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
(5) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
(5) eap_peap: ERROR: System call (I/O) error (-1)
(5) eap_peap: ERROR: TLS receive handshake failed during operation
(5) eap_peap: ERROR: [eaptls process] = fail
(5) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 233 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
主要錯誤顯示 證書過期。
在AP側抓包得到,client在 驗證服務器證書時過期,報文如下:
因此,進入了一個誤區,錯誤的認為 服務器編譯出來的證書有誤(有效期),更正freeradius產生的有效期為10年。client仍然報此錯誤。
后查看client端的 wpa_supplicant部分代碼,得到
if (!disable_time_checks &&
((unsigned long) now.sec <
(unsigned long) cert->not_before ||
(unsigned long) now.sec >
(unsigned long) cert->not_after)) {
wpa_printf(MSG_INFO, "X509: Certificate not valid "
"(now=%lu not_before=%lu not_after=%lu)",
now.sec, cert->not_before, cert->not_after);
*reason = X509_VALIDATE_CERTIFICATE_EXPIRED;
return -1;
}
證書有效時間的對比是要跟 設備的當前時間進行對比的。
查看設備的當前時間,在證書有效期之前,所以產生了此錯誤。