EAP-TLS server issue
Tue Apr 5 18:17:34 PDT 2011
Thank you for your reply.
the hostapd version I used is 0.6.9, and the version of openssl is 0.9.8i, and How can I confirm if the SHA256 is enable or not?
I will use the newer openssl to try.
But I'm confuzed that the freeradius 2.1.6 combined with the openssl 0.9.8i is ok for the eap-tls.
> Date: Sat, 2 Apr 2011 13:51:26 +0300
> From: j at w1.fi
> To: hostap at lists.shmoo.com
> Subject: Re: EAP-TLS server issue
> On Sat, Apr 02, 2011 at 03:20:56AM +0000, ? ? wrote:
> > I have a problem about EAP-TLS connection with Hostapd. the error happens when the server verify
> > the device certificate.
> > the log of hostapd is as following:
> > TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) depth=2 buf='/C=US/O=WiMAX Forum(R)/CN=WiMAX Forum(R) Device Root - CA1'
> > TLS: Certificate verification failed, error 7 (certificate signature failure) depth 1 for '/C=CN/O=SyChip Shanghai Co., Ltd./OU=WiMAX Forum(R) Devices/CN=ENG'
> > SSL: (where=0x4008 ret=0x233)
> > SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error
> > SSL: (where=0x2002 ret=0xffffffff)
> > SSL: SSL_accept:error in SSLv3 read client certificate B
> > OpenSSL: tls_connection_server_handshake - SSL_accept error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
> > OpenSSL: pending error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> That is OpenSSL saying that it does not support the hash algorithm used
> in the certificate. Which OpenSSL version are you using? And which
> hostapd version? At least some version combinations may not enable
> SHA256-based digests. Newer OpenSSL version may enabled that by default
> and the current hostapd snapshot is also forcing SHA256 to be enabled.
> Jouni Malinen PGP id EFC895FA
> HostAP mailing list
> HostAP at lists.shmoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Hostap