EAP TLS - TLSv1.2 Record Layer: Alert, Level: Fatal, Description: Certificate Unknown, 46
Satya Prakash Prasad
satyaprakash.developer.unix at gmail.com
Mon Apr 1 16:55:07 PDT 2024
Hi,
I am not sure if this questions should be addressed to this support
team but in hope that some positive information might come up.
I am trying to analyze an SSL handshake failure issue. Based on the
issue please find below steps to create client / server certificates
where currently I am receiving Description: Certificate Unknown (46)
error - note I am running EAP-TLS
[https://github.com/championswimmer/kernel_sony_tamsui/tree/master/platform/external/hostap-06]
code as client and hostapd daemon as server. I am not sure if I have
generated the certificates correctly - but I am trying to test a
Mutual trusted Server / Client SSL connection. So there is no
certificate chain I have made during their certificate creation - they
are self-signed ones. Note that when asked about the CN I gave "CA"
(for CA), "example.com" (for server) and "client" (for client).
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key
-CAcreateserial -out server.crt -days 360
At this step I have below files:
ca.crt (which I use as trusted_client.pem), server.crt and server.key
at server side
Client Side certificate generation:
openssl genrsa -out client.key 2048
openssl req -out client.csr -key client.key -new
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key
-CAcreateserial -out client.crt -days 360
So now at client side I have below files: client.crt client.key
trusted_client.pem [generated during Server certificate step]
When I run the flow I get below error:
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unknown CA)
Wireshark logs:
103 2024-04-01
11:17:42.886627 Device_00:8c:94
Nearest-non-TPMR-bridge
EAPOL 60 Start
104 2024-04-01
11:17:42.887165
MS-NLB-PhysServer-17_11:11:11:11 Nearest-non-TPMR-bridge
EAP 60 Request, Identity
105 2024-04-01
11:17:45.890174
MS-NLB-PhysServer-17_11:11:11:11 Nearest-non-TPMR-bridge
EAP 60 Request, Identity
106 2024-04-01
11:17:45.892093 Device_00:8c:94
Nearest-non-TPMR-bridge EAP
60 Response, Identity
107 2024-04-01
11:17:45.892425
MS-NLB-PhysServer-17_11:11:11:11 Nearest-non-TPMR-bridge
EAP 60 Request, TLS EAP
(EAP-TLS)
108 2024-04-01
11:17:47.732072 Device_00:8c:94
Nearest-non-TPMR-bridge
TLSv1.2 226 Client Hello
109 2024-04-01
11:17:47.746814
MS-NLB-PhysServer-17_11:11:11:11 Nearest-non-TPMR-bridge
EAP 1421 Request, TLS EAP (EAP-TLS)
110 2024-04-01
11:17:47.750570 Device_00:8c:94
Nearest-non-TPMR-bridge
EAP 60 Response, TLS EAP
(EAP-TLS)
111 2024-04-01
11:17:47.750881
MS-NLB-PhysServer-17_11:11:11:11 Nearest-non-TPMR-bridge
SSL 1068 Continuation Data
112 2024-04-01
11:17:49.896020
MS-NLB-PhysServer-17_11:11:11:11 Nearest-non-TPMR-bridge
SSL 1068 Continuation Data
113 2024-04-01
11:17:50.104051 Device_00:8c:94
Nearest-non-TPMR-bridge
TLSv1.2 233 Client Hello, Alert (Level:
Fatal, Description: Certificate Unknown) -- Description: Certificate
Unknown (46)
114 2024-04-01
11:17:50.104413 MS-NLB-PhysServer-17_11:11:11:11
Nearest-non-TPMR-bridge EAP 60
Failure
Server Hello, Certificate, Server Key Exchange, Certificate Request,
Server Hello Done
Frame 111: 1068 bytes on wire (8544 bits), 1068 bytes captured (8544
bits) on interface \Device\NPF_{87758CCA-2149-4961-9FDA-E59432A16D13},
id 0
Ethernet II, Src: MS-NLB-PhysServer-17_11:11:11:11
(02:11:11:11:11:11), Dst: Nearest-non-TPMR-bridge (01:80:c2:00:00:03)
802.1X Authentication
Extensible Authentication Protocol
Code: Request (1)
Id: 56
Length: 1050
Type: TLS EAP (EAP-TLS) (13)
EAP-TLS Flags: 0x00
0... .... = Length Included: False
.0.. .... = More Fragments: False
..0. .... = Start: False
[2 EAP-TLS Fragments (2437 bytes): #109(1393), #111(1044)]
[Frame: 109, payload: 0-1392 (1393 bytes)]
[Frame: 111, payload: 1393-2436 (1044 bytes)]
[Fragment Count: 2]
[Reassembled EAP-TLS Length: 2437]
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 61
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 57
Version: TLS 1.2 (0x0303)
Random:
e8497a7739576c02beabbb0b95a6b95f026ba3bc167b4992af22b64fb10f1e8b
GMT Unix Time: Jun 29, 2093 21:29:51.000000000
India Standard Time
Random Bytes:
39576c02beabbb0b95a6b95f026ba3bc167b4992af22b64fb10f1e8b
Session ID Length: 0
Cipher Suite:
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
Compression Method: null (0)
Extensions Length: 17
Extension: renegotiation_info (len=1)
Type: renegotiation_info (65281)
Length: 1
Renegotiation Info extension
Extension: ec_point_formats (len=4)
Type: ec_point_formats (11)
Length: 4
EC point formats Length: 3
Elliptic curves point formats (3)
EC point format: uncompressed (0)
EC point format: ansiX962_compressed_prime (1)
EC point format: ansiX962_compressed_char2 (2)
Extension: extended_master_secret (len=0)
Type: extended_master_secret (23)
Length: 0
[JA3S Fullstring: 771,52392,65281-11-23]
[JA3S: d7d95b173b904a8f4de65bd751cb534a]
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 1793
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 1789
Certificates Length: 1786
Certificates (1786 bytes)
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 401
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 397
EC Diffie-Hellman Server Params
TLSv1.2 Record Layer: Handshake Protocol: Certificate Request
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 153
Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Length: 149
Certificate types count: 3
Certificate types (3 types)
Signature Hash Algorithms Length: 40
Signature Hash Algorithms (20 algorithms)
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: ed25519 (0x0807)
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (7)
Signature Algorithm: ed448 (0x0808)
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (8)
Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (9)
Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (10)
Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (11)
Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: SM2 (4)
Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (5)
Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
Signature Hash Algorithm Hash: Unknown (8)
Signature Hash Algorithm Signature: Unknown (6)
Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: SHA224 ECDSA (0x0303)
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Algorithm: SHA224 RSA (0x0301)
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: RSA (1)
Signature Algorithm: SHA224 DSA (0x0302)
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: DSA (2)
Signature Algorithm: SHA256 DSA (0x0402)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: DSA (2)
Signature Algorithm: SHA384 DSA (0x0502)
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: DSA (2)
Signature Algorithm: SHA512 DSA (0x0602)
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: DSA (2)
Distinguished Names Length: 101
Distinguished Names (101 bytes)
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
Client Hello, Alert (Level: Fatal, Description: Certificate Unknown)
Extensible Authentication Protocol
Code: Response (2)
Id: 56
Length: 215
Type: TLS EAP (EAP-TLS) (13)
EAP-TLS Flags: 0x00
Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 197
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 193
Version: TLS 1.2 (0x0303)
Random:
259ea02b1870ac3618e57b7cbdf4a4ad7df085bf1180f24c52141c38f640cdac
Session ID Length: 0
Cipher Suites Length: 80
Cipher Suites (40 suites)
Compression Methods Length: 1
Compression Methods (1 method)
Extensions Length: 72
Extension: signature_algorithms (len=22)
Extension: supported_groups (len=24)
Extension: ec_point_formats (len=2)
Extension: encrypt_then_mac (len=0)
Extension: extended_master_secret (len=0)
Extension: session_ticket (len=0)
[JA4: 12i400600_9479543b8654_7b0ba9b4cf08]
[JA4_r [truncated]:
12i400600_002f,0033,0035,0039,003c,003d,0067,006b,009c,009d,009e,009f,00ff,c009,c00a,c013,c014,c023,c024,c027,c028,c02b,c02c,c02f,c030,c09c,c09d,c09e,c09f,c0a0,c0a1,c0a2,c0a3,c0ac,c0ad,c0ae,c0af,cca8,cca9,ccaa_000a,000b,]
[JA3 Fullstring [truncated]:
771,52392-52393-52394-49196-49200-159-49325-49311-49188-49192-107-49162-49172-57-49327-49315-49195-49199-158-49324-49310-49187-49191-103-49161-49171-51-49326-49314-157-49309-61-53-49313-156-49308-60-47-49312-255]
[JA3: fee1630eb5b7688c9f8303364702933f]
TLSv1.2 Record Layer: Alert (Level: Fatal, Description:
Certificate Unknown)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Certificate Unknown (46)
Regards,
Prakash
More information about the Hostap
mailing list