EAP TLS failure - bad certificate?
Bar, Eitan
eitanb
Mon Jan 8 07:46:28 PST 2007
Hi,
Below is a dump right after the last EAPOL (containing the last fragment
of the certificate) was received by the driver.
Btw, I'm using a CA certificate generated by the radius itself (not
verisign or similar).
-------------------------
RX EAPOL from 00:50:f1:00:02:24
RX EAPOL - hexdump(len=594): 01 00 02 4e 01 06 02 4e 0d 00 30 38 06 03
55 04 0b 13 31 28 63 29 20 31 39 39 38 20 56 65 72 69 53 69 67 6e
2c 20 49 6e 63 2e 20 2d 20 46 6f 72 20 61 75 74 68 6f 72 69 7a 65 64 20
75 73 65 20 6f 6e 6c 79 31 1f 30 1d 06 03 55 04 0b 13 16 56 65 72
69 53 69 67 6e 20 54 72 75 73 74 20 4e 65 74 77 6f 72 6b 00 70 30 6e 31
0b 30 09 06 03 55 04 06 13 02 55 53 31 18 30 16 06 03 55 04 0a 1
3 0f 47 54 45 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 27 30 25 06 03 55
04 0b 13 1e 47 54 45 20 43 79 62 65 72 54 72 75 73 74 20 53 6f 6c
75 74 69 6f 6e 73 2c 20 49 6e 63 2e 31 1c 30 1a 06 03 55 04 03 13 13 47
54 45 20 43 79 62 65 72 54 72 75 73 74 20 52 6f 6f 74 00 9e 30 81
9b 31 0b 30 09 06 03 55 04 06 13 02 48 55 31 11 30 0f 06 03 55 04 07 13
08 42 75 64 61 70 65 73 74 31 27 30 25 06 03 55 04 0a 13 1e 4e 6
5 74 4c 6f 63 6b 20 48 61 6c 6f 7a 61 74 62 69 7a 74 6f 6e 73 61 67 69
20 4b 66 74 2e 31 1a 30 18 06 03 55 04 0b 13 11 54 61 6e 75 73 69
74 76 61 6e 79 6b 69 61 64 6f 6b 31 34 30 32 06 03 55 04 03 13 2b 4e 65
74 4c 6f 63 6b 20 45 78 70 72 65 73 73 7a 20 28 43 6c 61 73 73 20
43 29 20 54 61 6e 75 73 69 74 76 61 6e 79 6b 69 61 64 6f 00 72 30 70 31
2b 30 29 06 03 55 04 0b 13 22 43 6f 70 79 72 69 67 68 74 20 28 6
3 29 20 31 39 39 37 20 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 2e 31
1e 30 1c 06 03 55 04 0b 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f
72 70 6f 72 61 74 69 6f 6e 31 21 30 1f 06 03 55 04 03 13 18 4d 69 63 72
6f 73 6f 66 74 20 52 6f 6f 74 20 41 75 74 68 6f 72 69 74 79 00 61
30 5f 31 13 30 11 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 03 63 6f 6d 31
19 30 17 06 0a 09 92 26 89 93 f2 2c 64 01 19 16 09 6d 69 63 72 6
f 73 6f 66 74 31 2d 30 2b 06 03 55 04 03 13 24 4d 69 63 72 6f 73 6f 66
74 20 52 6f 6f 74 20 43 65 72 74 69 66 69 63 61 74 65 20 41 75 74
68 6f 72 69 74 79 0e 00 00 00
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=6 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=590) - Flags 0x00
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read server hello A
TLS: Certificate verification failed, error 9 (certificate is not yet
valid) depth 1 for '/DC=com/DC=lab/CN=CA wireless access'
SSL: (where=0x4008 ret=0x22a)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:bad
certificate
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
SSL: 7 bytes pending from ssl_out
SSL: Failed - tls_out available to report error
SSL: 7 bytes left to be sent out (of total 7 bytes)
EAP-TLS: TLS processing failed
EAP: method process -> ignore=FALSE methodState=DONE decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL - hexdump(len=17): 01 00 00 0d 02 06 00 0d 0d 00 15 03 01 00 02
02 2a
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:50:f1:00:02:24
RX EAPOL - hexdump(len=8): 01 00 00 04 04 07 00 04
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: Workaround for unexpected identifier field in EAP Success: reqId=7
lastId=6 (these are supposed to be same)
EAP: EAP entering state FAILURE
> -----Original Message-----
> From: hostap-bounces+eitanb=ti.com at shmoo.com [mailto:hostap-
> bounces+eitanb=ti.com at shmoo.com] On Behalf Of Jouni Malinen
> Sent: Monday, January 08, 2007 4:40 PM
> To: hostap at shmoo.com
> Subject: Re: EAP TLS failure - bad certificate?
>
> On Mon, Jan 08, 2007 at 01:27:53PM +0200, Bar, Eitan wrote:
>
> > While trying to integrate and test TLS using my WLAN driver, I
> encountered an error regarding the certificate file.
>
> Can you please describe what exactly you mean with "an error" here?
How
> does this show up? Does it prevent authentication? Do you have a debug
> log showing this?
>
> > The connection itself fails after the radius sends its certificate.
>
> Please send a debug log showing the output from wpa_supplicant..
>
> > When I run "openssl verify -CAfile my_new_root.pem eitan_my.cer"
(NOT on
> the target platform), I get: "eitan_my.cer: OK".
> > Does this mean the certificate is ok?
>
> Well, it means that it is more likely to be ok ;-).
>
> > Suspicious log from wpa_supplicant (when reading the root
certificate
> >
------------------------------------------------------------------------
> >
> > TLS: Trusted root certificate(s) loaded
>
> CA cert was loaded without problems here..
>
> > OpenSSL: tls_connection_client_cert - SSL_use_certificate_file (DER)
> failed error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> > OpenSSL: pending error: error:0D07803A:asn1 encoding
> routines:ASN1_ITEM_EX_D2I:nested asn1 error
> > OpenSSL: pending error: error:140C800D:SSL
> routines:SSL_use_certificate_file:ASN1 lib
> > OpenSSL: SSL_use_certificate_file (PEM) --> OK
>
> wpa_supplicant tried to read client cert first as a DER file and that
> failed, but reading it as a PEM file was successful.
>
> > OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER)
> failed error:0D094065:asn1 encoding routines:d2i_ASN1_SET:bad class
> > OpenSSL: pending error: error:0D0680A8:asn1 encoding
> routines:ASN1_CHECK_TLEN:wrong tag
> > OpenSSL: pending error: error:0D07803A:asn1 encoding
> routines:ASN1_ITEM_EX_D2I:nested asn1 error
> > OpenSSL: pending error: error:0D09A00D:asn1 encoding
> routines:d2i_PrivateKey:ASN1 lib
> > OpenSSL: pending error: error:140CB00D:SSL
> routines:SSL_use_PrivateKey_file:ASN1 lib
> > OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK
> > SSL: Private key loaded successfully
>
> And same for the client private key.
>
> In other words, no problems in loading the keys/certs.
>
> --
> Jouni Malinen PGP id
EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
More information about the Hostap
mailing list