Hi,
We are testing the HosatAP module integrated with MBedTLS version 2.19.1. But we are receiving an error during the SSL handshake. In Server side we are using hostapd daemon - we see the below error:
random: getrandom() support available
Configuration file: data/eap/hostap-standalone/hostapd_newCrt.conf
Opening raw packet socket for ifindex 4
BSS count 1, BSSID mask 00:00:00:00:00:00 (0 bits)
Using existing control interface directory.
eaptest1: IEEE 802.11 Fetching hardware channel/rate support not supported.
Completing interface initialization
hostapd_setup_bss(hapd=0x564a594121c0 (eaptest1), first=1)
eaptest1: Flushing old station entries
eaptest1: Deauthenticate all stations
Using interface eaptest1 with hwaddr 02:11:11:11:11:11 and ssid ""
TLS: Trusted root certificate(s) loaded
OpenSSL: tls_use_private_key_file (PEM) --> loaded
eaptest1: interface state UNINITIALIZED->ENABLED
eaptest1: AP-ENABLED
eaptest1: Setup of interface done.
ctrl_iface not configured!
Received EAPOL packet
eaptest1: Event NEW_STA (22) received
Data frame from unknown STA 00:1b:08:00:8c:94 - adding a new STA
New STA
ap_sta_add: register ap_handle_timer timeout for 00:1b:08:00:8c:94 (300 seconds - ap_max_inactivity)
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: start authentication
EAP: Server state machine created
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state IDLE
IEEE 802.1X: 00:1b:08:00:8c:94 CTRL_DIR entering state FORCE_BOTH
eaptest1: hostapd_new_assoc_sta: canceled wired ap_handle_timer timeout for 00:1b:08:00:8c:94
eaptest1: Event EAPOL_RX (23) received
IEEE 802.1X: 46 bytes from 00:1b:08:00:8c:94
IEEE 802.1X: version=2 type=1 length=0
ignoring 42 extra octets after IEEE 802.1X packet
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: received EAPOL-Start from STA
IEEE 802.1X: 00:1b:08:00:8c:94 AUTH_PAE entering state DISCONNECTED
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: unauthorizing port
IEEE 802.1X: 00:1b:08:00:8c:94 AUTH_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
eaptest1: CTRL-EVENT-EAP-STARTED 00:1b:08:00:8c:94
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: no identity known yet -> CONTINUE
EAP: EAP entering state PROPOSE_METHOD
EAP: getNextMethod: vendor 0 type 1
eaptest1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 124
EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: 00:1b:08:00:8c:94 AUTH_PAE entering state CONNECTING
IEEE 802.1X: 00:1b:08:00:8c:94 AUTH_PAE entering state AUTHENTICATING
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state REQUEST
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: Sending EAP Packet (identifier 124)
IEEE 802.1X: 00:1b:08:00:8c:94 - (EAP) retransWhile --> 0
EAP: EAP entering state RETRANSMIT
eaptest1: CTRL-EVENT-EAP-RETRANSMIT 00:1b:08:00:8c:94
EAP: EAP entering state IDLE
EAP: retransmit timeout 6 seconds (from dynamic back off; retransCount=1)
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state REQUEST
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: Sending EAP Packet (identifier 124)
Received EAPOL packet
eaptest1: Event NEW_STA (22) received
eaptest1: Event EAPOL_RX (23) received
IEEE 802.1X: 46 bytes from 00:1b:08:00:8c:94
IEEE 802.1X: version=2 type=0 length=9
ignoring 33 extra octets after IEEE 802.1X packet
EAP: code=2 identifier=124 length=9
(response)
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: received EAP packet (code=2 id=124 len=9) from STA: EAP Response-Identity (1)
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state RESPONSE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=124 respMethod=1 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
EAP-Identity: Peer identity - hexdump_ascii(len=4):
75 73 65 72 user
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: another method available -> CONTINUE
EAP: EAP entering state PROPOSE_METHOD
EAP: getNextMethod: vendor 0 type 13
eaptest1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 125
EAP-TLS: START -> CONTINUE
EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state REQUEST
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: Sending EAP Packet (identifier 125)
Received EAPOL packet
eaptest1: Event NEW_STA (22) received
eaptest1: Event EAPOL_RX (23) received
IEEE 802.1X: 212 bytes from 00:1b:08:00:8c:94
IEEE 802.1X: version=2 type=0 length=208
EAP: code=2 identifier=125 length=208
(response)
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: received EAP packet (code=2 id=125 len=208) from STA: EAP Response-TLS (13)IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state RESPONSE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=125 respMethod=13 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
SSL: Received packet(len=208) - Flags 0x00
SSL: Received packet: Flags 0x0 Message Length 0
SSL: (where=0x10 ret=0x1)
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:before SSL initialization
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:before SSL initialization
OpenSSL: RX ver=0x304 content_type=22 (handshake/client hello)
OpenSSL: Message - hexdump(len=197): [REMOVED]
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3/TLS read client hello
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: TX ver=0x303 content_type=22 (handshake/server hello)
OpenSSL: Message - hexdump(len=61): [REMOVED]
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3/TLS write server hello
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: TX ver=0x303 content_type=22 (handshake/certificate)
OpenSSL: Message - hexdump(len=855): [REMOVED]
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3/TLS write certificate
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: TX ver=0x303 content_type=22 (handshake/server key exchange)
OpenSSL: Message - hexdump(len=401): [REMOVED]
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3/TLS write key exchange
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: TX ver=0x303 content_type=22 (handshake/certificate request)
OpenSSL: Message - hexdump(len=153): [REMOVED]
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3/TLS write certificate request
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: TX ver=0x303 content_type=22 (handshake/server hello done)
OpenSSL: Message - hexdump(len=4): [REMOVED]
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3/TLS write server done
SSL: (where=0x2002 ret=0xffffffff)
SSL: SSL_accept:error in SSLv3/TLS write server done
SSL: SSL_connect - want more data
SSL: 1499 bytes pending from ssl_out
SSL: Using TLS version TLSv1.2
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 126
SSL: Generating Request
SSL: Sending out 1393 bytes (106 more to send)
EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state REQUEST
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: Sending EAP Packet (identifier 126)
Received EAPOL packet
eaptest1: Event NEW_STA (22) received
eaptest1: Event EAPOL_RX (23) received
IEEE 802.1X: 46 bytes from 00:1b:08:00:8c:94
IEEE 802.1X: version=2 type=0 length=6
ignoring 36 extra octets after IEEE 802.1X packet
EAP: code=2 identifier=126 length=6
(response)
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: received EAP packet (code=2 id=126 len=6) from STA: EAP Response-TLS (13)
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state RESPONSE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=126 respMethod=13 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
SSL: Received packet(len=6) - Flags 0x00
SSL: Received packet: Flags 0x0 Message Length 0
SSL: Fragment acknowledged
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 127
SSL: Generating Request
SSL: Sending out 106 bytes (message sent completely)
EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state REQUEST
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: Sending EAP Packet (identifier 127)
IEEE 802.1X: 00:1b:08:00:8c:94 - (EAP) retransWhile --> 0
EAP: EAP entering state RETRANSMIT
eaptest1: CTRL-EVENT-EAP-RETRANSMIT 00:1b:08:00:8c:94
EAP: EAP entering state IDLE
EAP: retransmit timeout 6 seconds (from dynamic back off; retransCount=1)
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state REQUEST
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: Sending EAP Packet (identifier 127)
Received EAPOL packet
eaptest1: Event NEW_STA (22) received
eaptest1: Event EAPOL_RX (23) received
IEEE 802.1X: 46 bytes from 00:1b:08:00:8c:94
IEEE 802.1X: version=2 type=0 length=6
ignoring 36 extra octets after IEEE 802.1X packet
EAP: code=2 identifier=127 length=6
(response)
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: received EAP packet (code=2 id=127 len=6) from STA: EAP Response-TLS (13)
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state RESPONSE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=127 respMethod=13 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
SSL: Received packet(len=6) - Flags 0x00
SSL: Received packet: Flags 0x0 Message Length 0
SSL: (where=0x2002 ret=0xffffffff)
SSL: SSL_accept:error in SSLv3/TLS write server done
SSL: SSL_connect - want more data
SSL: 0 bytes pending from ssl_out
SSL: Using TLS version TLSv1.2
EAP: EAP entering state METHOD_REQUEST
EAP: building EAP-Request: Identifier 128
SSL: Generating Request
SSL: Sending out 0 bytes (message sent completely)
EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state REQUEST
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: Sending EAP Packet (identifier 128)
Received EAPOL packet
eaptest1: Event NEW_STA (22) received
eaptest1: Event EAPOL_RX (23) received
IEEE 802.1X: 46 bytes from 00:1b:08:00:8c:94
IEEE 802.1X: version=2 type=0 length=6
ignoring 36 extra octets after IEEE 802.1X packet
EAP: code=2 identifier=127 length=6
(response)
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: received EAP packet (code=2 id=127 len=6) from STA: EAP Response-TLS (13)
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state RESPONSE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=127 respMethod=13 respVendor=0 respVendorMethod=0
EAP: RECEIVED->DISCARD: rxResp=1 respId=127 currentId=128 respMethod=13 currentMethod=13
EAP: EAP entering state DISCARD
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state IGNORE
IEEE 802.1X: 00:1b:08:00:8c:94 - (EAP) retransWhile --> 0
EAP: EAP entering state RETRANSMIT
eaptest1: CTRL-EVENT-EAP-RETRANSMIT 00:1b:08:00:8c:94
EAP: EAP entering state IDLE
EAP: retransmit timeout 6 seconds (from dynamic back off; retransCount=1)
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state REQUEST
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: Sending EAP Packet (identifier 128)
IEEE 802.1X: 00:1b:08:00:8c:94 - (EAP) retransWhile --> 0
EAP: EAP entering state RETRANSMIT
eaptest1: CTRL-EVENT-EAP-RETRANSMIT 00:1b:08:00:8c:94
EAP: EAP entering state IDLE
EAP: retransmit timeout 12 seconds (from dynamic back off; retransCount=2)
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state REQUEST
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: Sending EAP Packet (identifier 128)
Received EAPOL packet
eaptest1: Event NEW_STA (22) received
eaptest1: Event EAPOL_RX (23) received
IEEE 802.1X: 212 bytes from 00:1b:08:00:8c:94
IEEE 802.1X: version=2 type=0 length=208
EAP: code=2 identifier=128 length=208
(response)
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: received EAP packet (code=2 id=128 len=208) from STA: EAP Response-TLS (13)IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state RESPONSE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 rxInitiate=0 respId=128 respMethod=13 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
SSL: Received packet(len=208) - Flags 0x00
SSL: Received packet: Flags 0x0 Message Length 0
OpenSSL: RX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
SSL: (where=0x2001 ret=0x1)
SSL: SSL_accept:SSLv3/TLS write server done
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: TX ver=0x303 content_type=21 (alert/)
OpenSSL: Message - hexdump(len=2): [REMOVED]
SSL: (where=0x4008 ret=0x20a)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unexpected_message
authsrv: local TLS alert: unexpected_message
SSL: (where=0x2002 ret=0xffffffff)
SSL: SSL_accept:error in error
OpenSSL: openssl_handshake - SSL_connect error:141A20F4:SSL routines:ossl_statem_server_read_transition:unexpected message
SSL: 7 bytes pending from ssl_out
SSL: Failed - tls_out available to report error
EAP-TLS: CONTINUE -> FAILURE
OpenSSL: Session was not cached
EAP: Session-Id - hexdump(len=0): [NULL]
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: method failed -> FAILURE
EAP: EAP entering state FAILURE
EAP: Building EAP-Failure (id=128)
eaptest1: CTRL-EVENT-EAP-FAILURE 00:1b:08:00:8c:94
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state FAIL
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: Sending EAP Packet (identifier 128)
IEEE 802.1X: 00:1b:08:00:8c:94 AUTH_PAE entering state HELD
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: unauthorizing port
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: authentication failed - EAP type: 0 (unknown)
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.1X: Supplicant used different EAP type: 13 (TLS)
eaptest1: IEEE 802.1X: Force disconnection of 00:1b:08:00:8c:94 after EAP-Failure in 10 ms
IEEE 802.1X: 00:1b:08:00:8c:94 BE_AUTH entering state IDLE
eaptest1: IEEE 802.1X: Scheduled disconnection of 00:1b:08:00:8c:94 after EAP-Failure
eaptest1: ap_sta_disconnect STA 00:1b:08:00:8c:94 reason=23
eaptest1: ap_sta_disconnect: reschedule ap_handle_timer timeout for 00:1b:08:00:8c:94 (5 seconds - AP_MAX_INACTIVITY_AFTER_DEAUTH)
IEEE 802.1X: 00:1b:08:00:8c:94 AUTH_PAE entering state INITIALIZE
EAP: EAP entering state DISABLED
eaptest1: Deauthentication callback for STA 00:1b:08:00:8c:94
eaptest1: Removing STA 00:1b:08:00:8c:94 from kernel driver
eaptest1: STA 00:1b:08:00:8c:94 MLME: MLME-DEAUTHENTICATE.indication(00:1b:08:00:8c:94, 23)
eaptest1: STA 00:1b:08:00:8c:94 MLME: MLME-DELETEKEYS.request(00:1b:08:00:8c:94)
eaptest1: ap_handle_timer: 00:1b:08:00:8c:94 flags=0x40000000 timeout_next=3
eaptest1: STA 00:1b:08:00:8c:94 IEEE 802.11: deauthenticated due to local deauth request
ap_free_sta: cancel ap_handle_timer for 00:1b:08:00:8c:94
EAP: Server state machine removed
In wireshark logs we see the below details:
As you can see the Session Ticket details are missing and that Length 0 field is the last byte in the message but still in Wireshark we see other details like JA4, JA4_r etc?
Is the "Client Hello" response from the client in the correct format? Why does the Serve states:
SSL: SSL_accept:SSLv3/TLS write server done
OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: TX ver=0x303 content_type=21 (alert/)
OpenSSL: Message - hexdump(len=2): [REMOVED]
SSL: (where=0x4008 ret=0x20a)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unexpected_message
authsrv: local TLS alert: unexpected_message
SSL: (where=0x2002 ret=0xffffffff)
SSL: SSL_accept:error in error
OpenSSL: openssl_handshake - SSL_connect error:141A20F4:SSL routines:ossl_statem_server_read_transition:unexpected message
SSL: 7 bytes pending from ssl_out
SSL: Failed - tls_out available to report error
EAP-TLS: CONTINUE -> FAILURE
OpenSSL: Session was not cached
EAP: Session-Id - hexdump(len=0): [NULL]
EAP: EAP entering state SELECT_ACTION
EAP: getDecision: method failed -> FAILURE
EAP: EAP entering state FAILURE
EAP: Building EAP-Failure (id=134)
Regards,
Prakash