#51 OpenSSL Error -- error:1408F455:SSL routines:SSL3_GET_RECORD

[lorenzo g]

Situation:

- linux debian kernel 2.6.11.11
- ipw2200 driver and network card successfully working
with plain wep
- trying to connect to a cisco acs
- the certificate has been exported from the server in
"base64" form (from windows 2003 certificate manager)
- username/pass and certificate successfully work on
windows xp
- I have openssl-dev version 0.9.7e-3
- using xsupplicant 1.2pre1
- tried with the certificate from the server AND with
root_cert = NONE in config file, same error

this is the config file

-- begin config file
network_list = all

default_netname = net

logfile = /var/log/xsupplicant.log

net
{

allow_types = all

identity = id

eap-peap {
root_cert = NONE
chunk_size = 1398
random_file = /dev/urandom
session_resume = yes

eap-mschapv2 {
username = id
password = pass
}
}
}

--- end config file

-- begin dump

[ALL] Sending TLS ACK!
[STATE] Backend State : REQUEST -> RESPONSE
[ALL] Frame to be sent :
00 11 92 F6 F1 51 00 0E - 35 04 A1 0B 88 8E 01 00
.....Q..5.......
00 06 02 2E 00 06 19 01 - ........
[STATE] Backend State : RESPONSE -> RECEIVE
[ALL] Got Frame :
00 0E 35 04 A1 0B 00 11 - 92 F6 F1 51 88 8E 01 00
..5........Q....
00 2B 01 2F 00 2B 19 01 - 17 03 01 00 20 C6 28 E5
.+./.+........(.
AD 4C FC 1C 22 AB AB 14 - 4B 57 89 EE F5 CB 88 5C
.L.."...KW.....\ 27 34 1A 85 88 A6 2F 66 - 47 30 A0 51 FC
'4..../fG0.Q.
[ALL] Got EAP-Request for EAP_PEAP
[ALL] Got EAP-Request-Authentication.
[STATE] Backend State : RECEIVE -> REQUEST
[ALL] Got EAP-Request for EAP_PEAP
[ALL] Got EAP-Request-Authentication.
[STATE] Building EAPOL-Response-Authentication
[AUTH TYPE] Packet in (38) :
00 17 03 01 00 20 C6 28 - E5 AD 4C FC 1C 22 AB AB
.......(..L.."..
14 4B 57 89 EE F5 CB 88 - 5C 27 34 1A 85 88 A6 2F
.KW.....\'4..../
66 47 30 A0 51 FC fG0.Q.
[AUTH TYPE] Extracted common name of xxx
[AUTH TYPE] Certificate CN : xxx
[AUTH TYPE] Doing a CN Check!
[AUTH TYPE] Looking for an exact match!
[AUTH TYPE] Certificate CN matched!
[AUTH TYPE] Decrypted dump :
01 1D 00 05 01 ....
[AUTH TYPE] Decrypted packet returned 5 byte(s)
[AUTH TYPE] Doing PEAP v1!
[AUTH TYPE] Inner packet :
01 1D 00 05 01 ....
Invalid parameters passed to eap_request_id()!
[AUTH TYPE] Nothing returned from PEAP!
[ALL] Got EAP-Request for EAP_PEAP
[ALL] Got EAP-Request-Authentication.
[STATE] Building EAPOL-Response-Authentication
[AUTH TYPE] Packet in (38) :
00 17 03 01 00 20 C6 28 - E5 AD 4C FC 1C 22 AB AB
.......(..L.."..
14 4B 57 89 EE F5 CB 88 - 5C 27 34 1A 85 88 A6 2F
.KW.....\'4..../
66 47 30 A0 51 FC fG0.Q.
[AUTH TYPE] Extracted common name of xxx
[AUTH TYPE] Certificate CN : xxx
[AUTH TYPE] Doing a CN Check!
[AUTH TYPE] Looking for an exact match!
[AUTH TYPE] Certificate CN matched!
In tls_crypt.c, SSL_read(mytls_vars->ssl, out_data,
1000) failed.
OpenSSL Error -- error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad
record mac
[AUTH TYPE] Decrypted dump :
D8 3B EA B7 D8 3B EA B7 - 73 74 00 00 00 00 00 00
.;...;..st......
01 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
00 00 00 00 46 01 00 00 - 00 00 00 00 00 00 00 00
....F...........
00 00 00 00 39 20 00 00 - E0 1F 09 08 88 38 EA B7
....9........8..
E8 06 0A 08 00 00 00 00 - 00 00 00 00 F0 16 0A 08
................
00 00 00 00 00 00 00 00 - 00 00 00 00 11 20 00 00
................
F0 41 0A 08 E0 1F 09 08 - 00 00 00 00 00 00 00 00
.A..............
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................

--- end dump

and then it goes on with the last line (all zeroes).

[konrad]

Logged In: YES
user_id=1013954

Hi,

I am using the latest CVS (9-Aug-2005), but I still get the
error:

[ALL] Got EAP-Request-Authentication.
In tls_crypt.c, SSL_read(mytls_vars->ssl, out_data, 1000)
failed.
OpenSSL Error -- error:1408F455:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
Phase 2 failure!
XEGENERROR

Using Ubuntu Linux 2.6.10-5-386,
prism54 driver Netgear PCMCIA card,
Network controller: Intersil Corporation Intersil ISL3890
[Prism GT/Prism Duette] (rev 01)
openssl
cisco ACS
cisco Access Point 1200

regards, konrad