Hostap SSL Error
Satya Prakash Prasad
satyaprakash.developer.unix at gmail.com
Tue Mar 12 01:07:44 PDT 2024
I am trying to analyze the issue and in same regards I received a
working scenario wireshark logs - I see below pattern of messages
TLSv1.2 1068 Server Hello,
Certificate, Server Key Exchange, Certificate Request, Server Hello
Done
EAP 60 Request, Identity
EAP 60 Request, Identity
EAP 60 Request, Identity
SSL 1068 Continuation Data
EAP 60 Request, Identity
SSL 1068 Continuation Data
EAP 60 Request, Identity
EAP 60 Request, Identity
TLSv1.2 1068 Ignored Unknown Record
TLSv1.2 1339 Certificate, Client
Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted
Handshake Message
TLSv1.2 67 Change Cipher Spec,
Encrypted Handshake Message
EAP 60 Request, Identity
TLSv1.2 226 Client Hello
EAP 226 Response, TLS EAP (EAP-TLS)
EAP 60 Request, Identity
TLSv1.2 226 Client Hello
TLSv1.2 60 Alert (Level: Fatal,
Description: Unexpected Message)
EAP 60 Success
But in my case I do not see the SSL messages in logs, they are missing
- is the SSL message an expected one in WireShark logs in such a case?
What if the same is not there? What could also be the cause that SSL
messages did not come as expected? Will the connection be FAILURE if
it is not there?
Regards,
Prakash
On Sat, Mar 9, 2024 at 8:06 PM Jouni Malinen <j at w1.fi> wrote:
>
> On Sat, Mar 09, 2024 at 10:17:50AM +0530, Satya Prakash Prasad wrote:
> > I am trying to test out EAP TLS connection to peer using hostapd
> > daemon but in its logs I see below error -
>
> > OpenSSL: openssl_handshake - SSL_connect error:14094419:SSL
> > routines:ssl3_read_bytes:tlsv1 alert access denied
>
> Everything looked fine on the hostapd/server side, but the EAP-TLS
> client refused the connection for some reason.
>
> > SSL: SSL3 alert: read (remote end reported an error):fatal:access denied
> > authsrv: remote TLS alert: access denied
> > SSL: (where=0x2002 ret=0xffffffff)
> > SSL: SSL_accept:error in error
> > OpenSSL: openssl_handshake - SSL_connect error:14094419:SSL
> > routines:ssl3_read_bytes:tlsv1 alert access denied
>
> That "SSL3 alert: read (remote end reported an error):fatal:access
> denied" is the key part in the log.. In other words, you would need to
> look at the other end of the connection to determine why the client did
> not allow TLS handshake to continue.
>
> --
> Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list