Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Problem with TLS: SSL alert number 49

1,754 views

Skip to first unread message

David Baer

unread,

Jan 22, 2003, 9:41:56 PM1/22/03

Hi,=20
my name is David Baer

I am working with freeRADIUS authentication server on SuSE Linux and am t=
rying to do EAP/TLS authentication with a Windows XP SP1 client.

I am using openssl-SNAP-20021027 for the TLS part.=20

=46rom TLS I always get the following errors:

<<< TLS 1.0 Alert [length 0002], fatal access_denied

TLS Alert read:fatal:access denied
2727:error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denie=
d:s3_pkt.c:1037:SSL alert number 49
rlm_eap_tls: SSL_read Error
Error code is ..... 6
SSL Error ..... 6
rlm_eap_tls: BIO_read Error
Error code is ..... 5
Error in SSL ..... 5

This happens only after in the EAP-process I can go through the handshake=
-protocol twice like this:

<<< TLS 1.0 Handshake [length 029b], Certificate

chain-depth=3D1,
error=3D0
--> User-Name =3D Hera
--> BUF-Name =3D Zeus
--> subject =3D /C=3DJP/ST=3DTokyo/O=3DNEC/OU=3DInternet Systems Research=
Labs./CN=3DZeus/emailAddress=3Dd...@mmp.cl.nec.co.jp
--> issuer =3D /C=3DJP/ST=3DTokyo/O=3DNEC/OU=3DInternet Systems Research=
Labs./CN=3DZeus/emailAddress=3Dd...@mmp.cl.nec.co.jp
--> verify return:1
chain-depth=3D0,
error=3D0
--> User-Name =3D Hera
--> BUF-Name =3D Hera
--> subject =3D /C=3DJP/ST=3DTokyo/O=3DNEC/OU=3DISRL/CN=3DHera/emailAddre=
ss=3Dd...@mmp.cl.nec.co.jp
--> issuer =3D /C=3DJP/ST=3DTokyo/O=3DNEC/OU=3DInternet Systems Research=
Labs./CN=3DZeus/emailAddress=3Dd...@mmp.cl.nec.co.jp
--> verify return:1
TLS_accept: SSLv3 read client certificate A
<<< TLS 1.0 Handshake [length 0086], ClientKeyExchange

TLS_accept: SSLv3 read client key exchange A
<<< TLS 1.0 Handshake [length 0086], CertificateVerify

TLS_accept: SSLv3 read certificate verify A
<<< TLS 1.0 ChangeCipherSpec [length 0001]

<<< TLS 1.0 Handshake [length 0010], Finished

TLS_accept: SSLv3 read finished A
>>> TLS 1.0 ChangeCipherSpec [length 0001]

TLS_accept: SSLv3 write change cipher spec A
>>> TLS 1.0 Handshake [length 0010], Finished

TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
undefined: SSL negotiation finished successfully

I've been dealing with that problem for about a week, but can't get anywh=
ere.

Do you think it is TLS related?=20
Is it possible I did anything wrong with the certificates?=20
What does alert 49 mean?

Thanks for any kind of advice!
David
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Lutz Jaenicke

unread,

Jan 23, 2003, 2:47:10 AM1/23/03

On Thu, Jan 23, 2003 at 11:39:52AM +0900, David Baer wrote:
> I am working with freeRADIUS authentication server on SuSE Linux and am trying to do EAP/TLS authentication with a Windows XP SP1 client.

>
> I am using openssl-SNAP-20021027 for the TLS part.
>

> From TLS I always get the following errors:

>
> <<< TLS 1.0 Alert [length 0002], fatal access_denied
>
> TLS Alert read:fatal:access denied

> 2727:error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied:s3_pkt.c:1037:SSL alert number 49

> rlm_eap_tls: SSL_read Error
> Error code is ..... 6
> SSL Error ..... 6
> rlm_eap_tls: BIO_read Error
> Error code is ..... 5
> Error in SSL ..... 5

Stating the obvious: the server is reading information from the client and
the client sends a "fatal" alert message to the server: "access denied".
It therefore is the client that is unhappy with some condition and it is the
client's decision to stop the handshake.

As for the reasons: I am not familiar with EAP/TLS, sorry.

Best regards,
Lutz
--
Lutz Jaenicke Lutz.J...@aet.TU-Cottbus.DE
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus

0 new messages