802.1x & EAP-TLS: Alert (Level: Fatal, Description: Unexpected Message)

Posted on by

Today we achieved to connect to our corporate WLAN (802.1x / EAP-TLS). Normally certificates are only issued to our Windows Users but with help of our IT Department we got certificates for our linux machines. My colleagues tried it several times but it didn’t work with networkmanager neither with wpasupplicant. The last days I had the “chance” to try myself. I started wpasupplicant together with wireshark. After sending Client Hello to our accesspoint (connected to a radius server) , it returned an error message:

Alert (Level: Fatal, Description: Unexpected Message)

The fatal alert Unexpected Message “should never be observed in communication between proper implementations”. The server did not want to see my my certificates and stopped talking to me immediately. After comparing Client Hello bit-by-bit with RFC 2246, I hit on the SessionTicket TLS Extension (defined in RFC 4507) sent by my client:

Ethernet II
802.1X Authentication
Extensible Authentication Protocol
Secure Socket Layer
SSL Record Layer: Handshake Protocol: Client Hello
Handshake Protocol: Client Hello
….
Compression Methods Length: 2
Compression Methods (2 methods)
Extensions Length: 4
Extension: SessionTicket TLS
Type: SessionTicket TLS (0×0023)
Length: 0
Data (0 bytes)

I was asking myself what would happen if I would remove this Extension from the Client Hello so it would look like a old-fashioned RFC2246 datagram? To accomplish this I downloaded the openssl sourcecode with apt-get source openssl, removed enable-tlsext from rules/debian and rebuilt the code with make -f debian/rules (I didn’t want to install it).
I started wpasupplicant with

LD_LIBRARY_PATH=~/openssl-0.9.8g/ wpa_supplicant -d -i wlan0 -Dwext -c WLAN.conf

and it worked! The TLS Extension is not sent by my client and in wireshark the response from the accesspoint looks now like a well formed Server Hello

TLSv1
Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Mess

Conclusion: I am now sure that the server handles the Client Hello wrong. RFC2246 describes in its “Forward compatibility” note:

In the interests of forward compatibility, it is permitted for a client hello message to include extra data after the compression methods. This data must be included in the handshake hashes, but must otherwise be ignored.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>