Problem using ca_path to connect to a EAP-TLS network
Soh Kam Yung
Thu Dec 11 22:45:44 PST 2008
On Wed, Dec 10, 2008 at 12:56 AM, Jouni Malinen <j at w1.fi> wrote:
> On Tue, Dec 09, 2008 at 04:18:10PM +0800, Soh Kam Yung wrote:
>> I'm encountering problems connecting to a EAP-TLS network using
>> ca_path in my configuration (instead of ca_cert).
>> ca_path = "/usr/local/certs"
>> I start seeing the following error in the wpa_supplicant debug output:
>> TLS: Certificate verification failed, error 20 (unable to get local
>> issuer certificate) depth 1 for '[deleted]'
>> Am I using ca_path correctly?
> Does the directory that you point to include certificate hash files
> (symlink from a filename with the hash to the actual certificate)?
> OpenSSL requires that to find the certificates when using ca_path.
> Jouni Malinen PGP id EFC895FA
I looked at some OpenSSL documentation. Just be certain, when you
mention hashes, do you mean the hashes as mention in the OpenSSL
The usage looks similar to the ca_path/ca_cert options as used in
wpa_supplicant, only 'better' documented... ;-)
verify - Utility to verify certificates.
openssl verify [-CApath directory] [-CAfile file] [-purpose purpose]
[-untrusted file] [-help] [-issuer_checks] [-verbose] [-]
The verify command verifies certificate chains.
A directory of trusted certificates. The certificates should have
names of the form: hash.0 or have symbolic links to them of this form
(``hash'' is the hashed certificate subject name: see the -hash option
of the x509 utility). Under Unix the c_rehash script will
automatically create symbolic links to a directory of certificates.
A file of trusted certificates. The file should contain multiple
certificates in PEM format concatenated together.
Soh Kam Yung
my Google Reader Shared links:
my Google Reader Shared SFAS links:
More information about the Hostap