certificate expired

标签：抓包   alt   unsigned   ack   failed   before   check   cert   exp   

最近在测试802.1x，测试过程中，radius服务器端一直显示如下错误：

(5)   authenticate {
(5) eap: Expiring EAP session with state 0x3990473e3d795e62
(5) eap: Finished EAP session with state 0x3990473e3d795e62
(5) eap: Previous EAP request found for state 0x3990473e3d795e62, released from the list
(5) eap: Peer sent packet with method EAP PEAP (25)
(5) eap: Calling submodule eap_peap to process data
(5) eap_peap: Continuing EAP-TLS
(5) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(5) eap_peap: Got complete TLS record (7 bytes)
(5) eap_peap: [eaptls verify] = length included
(5) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal certificate_expired
(5) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
(5) eap_peap: ERROR: TLS_accept: Failed in unknown state
(5) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
(5) eap_peap: ERROR: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
(5) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
(5) eap_peap: ERROR: System call (I/O) error (-1)
(5) eap_peap: ERROR: TLS receive handshake failed during operation
(5) eap_peap: ERROR: [eaptls process] = fail
(5) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 233 length 4
(5) eap: Failed in EAP select
(5)     [eap] = invalid
(5)   } # authenticate = invalid

主要错误显示 证书过期。

 在AP侧抓包得到，client在 验证服务器证书时过期，报文如下：

因此，进入了一个误区，错误的认为 服务器编译出来的证书有误（有效期），更正freeradius产生的有效期为10年。client仍然报此错误。

后查看client端的 wpa_supplicant部分代码，得到

  if (!disable_time_checks &&
      ((unsigned long) now.sec <
       (unsigned long) cert->not_before ||
       (unsigned long) now.sec >
       (unsigned long) cert->not_after)) {
   wpa_printf(MSG_INFO, "X509: Certificate not valid "
       "(now=%lu not_before=%lu not_after=%lu)",
       now.sec, cert->not_before, cert->not_after);
   *reason = X509_VALIDATE_CERTIFICATE_EXPIRED;
   return -1;
  }

证书有效时间的对比是要跟 设备的当前时间进行对比的。

查看设备的当前时间，在证书有效期之前，所以产生了此错误。

certificate expired

标签：抓包   alt   unsigned   ack   failed   before   check   cert   exp   

原文地址：http://www.cnblogs.com/rohens-hbg/p/7530616.html