Hostap SSL Error

Satya Prakash Prasad satyaprakash.developer.unix at gmail.com
Tue Mar 12 01:07:44 PDT 2024


I am trying to analyze the issue and in same regards I received a
working scenario wireshark logs - I see below pattern of messages

TLSv1.2                      1068                Server Hello,
Certificate, Server Key Exchange, Certificate Request, Server Hello
Done
EAP                             60                  Request, Identity
EAP                             60                  Request, Identity
EAP                             60                  Request, Identity
SSL                             1068                Continuation Data
EAP                             60                  Request, Identity
SSL                             1068                Continuation Data
EAP                             60                  Request, Identity
EAP                             60                  Request, Identity
TLSv1.2                      1068                Ignored Unknown Record
TLSv1.2                      1339                Certificate, Client
Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted
Handshake Message
TLSv1.2                      67                  Change Cipher Spec,
Encrypted Handshake Message
EAP                            60                  Request, Identity
TLSv1.2                     226                 Client Hello
EAP                           226                 Response, TLS EAP (EAP-TLS)
EAP                           60                  Request, Identity
TLSv1.2                     226                 Client Hello
TLSv1.2                     60                  Alert (Level: Fatal,
Description: Unexpected Message)
EAP                           60                  Success

But in my case I do not see the SSL messages in logs, they are missing
- is the SSL message an expected one in WireShark logs in such a case?
What if the same is not there? What could also be the cause that SSL
messages did not come as expected? Will the connection be FAILURE if
it is not there?

Regards,
Prakash


On Sat, Mar 9, 2024 at 8:06 PM Jouni Malinen <j at w1.fi> wrote:
>
> On Sat, Mar 09, 2024 at 10:17:50AM +0530, Satya Prakash Prasad wrote:
> > I am trying to test out EAP TLS connection to peer using hostapd
> > daemon but in its logs I see below error -
>
> > OpenSSL: openssl_handshake - SSL_connect error:14094419:SSL
> > routines:ssl3_read_bytes:tlsv1 alert access denied
>
> Everything looked fine on the hostapd/server side, but the EAP-TLS
> client refused the connection for some reason.
>
> > SSL: SSL3 alert: read (remote end reported an error):fatal:access denied
> > authsrv: remote TLS alert: access denied
> > SSL: (where=0x2002 ret=0xffffffff)
> > SSL: SSL_accept:error in error
> > OpenSSL: openssl_handshake - SSL_connect error:14094419:SSL
> > routines:ssl3_read_bytes:tlsv1 alert access denied
>
> That "SSL3 alert: read (remote end reported an error):fatal:access
> denied" is the key part in the log.. In other words, you would need to
> look at the other end of the connection to determine why the client did
> not allow TLS handshake to continue.
>
> --
> Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list