<div dir="ltr"><div><div><div>Thanks Jouni. Appreciate your response<br></div>Let me check again with the client output. <br><br></div>Thanks,<br></div>Premraj<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jun 14, 2015 at 1:51 AM, Jouni Malinen <span dir="ltr"><<a href="mailto:j@w1.fi" target="_blank">j@w1.fi</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Thu, Jun 11, 2015 at 02:50:58PM -0700, Premraj Sundaram wrote:<br>
> I was using JRadiusSimulator GUI as the client.<br>
> The same client works with FreeRadius and returns Access-Accept.<br>
<br>
</span>That's strange if the test was done with same EAP-TLS fragmentation<br>
behavior from the client.. If that worked, the server would need to<br>
ignore incorrect TLS Message Length value (which, I'd assume, is<br>
possible for FreeRADIUS to do, e.g., as an interoperability workaround;<br>
I did not check its current implementation for this).<br>
<span class=""><br>
> I would prefer to make hostapd work, because my next step is to do EAP-AKA.<br>
><br>
> EAP: EAP entering state INTEGRITY_CHECK<br>
> EAP: EAP entering state METHOD_RESPONSE<br>
> SSL: Received packet(len=456) - Flags 0x00<br>
> SSL: Received packet: Flags 0x0 Message Length 0<br>
> SSL: Fragment overflow<br>
> EAP-TLS: CONTINUE -> FAILURE<br>
><br>
> The above lines make me thinking whether it could be an SSL issue.<br>
<br>
</span>It is not; this is fragmentation issue in EAP-TLS, i.e., something that<br>
happens before SSL (or well, TLS) processing. The test client is<br>
claiming that the TLS Message Length is 1028 octets of which the first<br>
1024 octets are included in the first message (the first fragment). That<br>
would mean that the second fragment would need to include the remaining<br>
4 octets. However, the second message includes about 434 octets which<br>
hostapd is rejecting as invalid ("SSL: Fragment overflow") which is the<br>
expected behavior with such a clearly incorrect fragmentation of an<br>
EAP-TLS message.<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Jouni Malinen PGP id EFC895FA<br>
_______________________________________________<br>
HostAP mailing list<br>
<a href="mailto:HostAP@lists.shmoo.com">HostAP@lists.shmoo.com</a><br>
<a href="http://lists.shmoo.com/mailman/listinfo/hostap" rel="noreferrer" target="_blank">http://lists.shmoo.com/mailman/listinfo/hostap</a><br>
</div></div></blockquote></div><br></div>