EAP-TLS server issue

Jouni Malinen j
Sat Apr 2 03:51:26 PDT 2011

On Sat, Apr 02, 2011 at 03:20:56AM +0000, ? ? wrote:
> I have a problem about EAP-TLS connection with Hostapd. the error happens when the server verify
> the device certificate.
> the log of hostapd is as following:

> TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) depth=2 buf='/C=US/O=WiMAX Forum(R)/CN=WiMAX Forum(R) Device Root - CA1'
> TLS: Certificate verification failed, error 7 (certificate signature failure) depth 1 for '/C=CN/O=SyChip Shanghai Co., Ltd./OU=WiMAX Forum(R) Devices/CN=ENG'
> SSL: (where=0x4008 ret=0x233)
> SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error
> SSL: (where=0x2002 ret=0xffffffff)
> SSL: SSL_accept:error in SSLv3 read client certificate B
> OpenSSL: tls_connection_server_handshake - SSL_accept error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
> OpenSSL: pending error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

That is OpenSSL saying that it does not support the hash algorithm used
in the certificate. Which OpenSSL version are you using? And which
hostapd version? At least some version combinations may not enable
SHA256-based digests. Newer OpenSSL version may enabled that by default
and the current hostapd snapshot is also forcing SHA256 to be enabled.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list