zoukankan      html  css  js  c++  java

  • certificate expired

    最近在测试802.1x,测试过程中,radius服务器端一直显示如下错误:

    (5)   authenticate {
    (5) eap: Expiring EAP session with state 0x3990473e3d795e62
    (5) eap: Finished EAP session with state 0x3990473e3d795e62
    (5) eap: Previous EAP request found for state 0x3990473e3d795e62, released from the list
    (5) eap: Peer sent packet with method EAP PEAP (25)
    (5) eap: Calling submodule eap_peap to process data
    (5) eap_peap: Continuing EAP-TLS
    (5) eap_peap: Peer indicated complete TLS record size will be 7 bytes
    (5) eap_peap: Got complete TLS record (7 bytes)
    (5) eap_peap: [eaptls verify] = length included
    (5) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal certificate_expired
    (5) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
    (5) eap_peap: ERROR: TLS_accept: Failed in unknown state
    (5) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
    (5) eap_peap: ERROR: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
    (5) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
    (5) eap_peap: ERROR: System call (I/O) error (-1)
    (5) eap_peap: ERROR: TLS receive handshake failed during operation
    (5) eap_peap: ERROR: [eaptls process] = fail
    (5) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
    (5) eap: Sending EAP Failure (code 4) ID 233 length 4
    (5) eap: Failed in EAP select
    (5)     [eap] = invalid
    (5)   } # authenticate = invalid

    主要错误显示 证书过期。

     在AP侧抓包得到,client在 验证服务器证书时过期,报文如下:

    因此,进入了一个误区,错误的认为 服务器编译出来的证书有误(有效期),更正freeradius产生的有效期为10年。client仍然报此错误。

    后查看client端的 wpa_supplicant部分代码,得到

      if (!disable_time_checks &&
          ((unsigned long) now.sec <
           (unsigned long) cert->not_before ||
           (unsigned long) now.sec >
           (unsigned long) cert->not_after)) {
       wpa_printf(MSG_INFO, "X509: Certificate not valid "
           "(now=%lu not_before=%lu not_after=%lu)",
           now.sec, cert->not_before, cert->not_after);
       *reason = X509_VALIDATE_CERTIFICATE_EXPIRED;
       return -1;
      }

    证书有效时间的对比是要跟 设备的当前时间进行对比的。

    查看设备的当前时间,在证书有效期之前,所以产生了此错误。
  • 相关阅读:
    Http无状态协议
    API
    在IE里嵌入播放器
    ASP.NET中常用的优化性能方法(转)
    分布式应用程序
    VS2007的beta版下载地址
    组合还是继承(转)
    您不能初始化一个远程桌面连接,因为在远程计算机上的windows登录软件被不兼容的软件取代
    .Net平台开发的技术规范与实践精华总结(转)
    什么是“分布式应用系统”
  • 原文地址:https://www.cnblogs.com/rohens-hbg/p/7530616.html
Copyright © 2011-2022 走看看