hostapd EAP-TLS CRL not working

Trent W. Buck twb-hostapd
Thu Sep 15 19:57:44 PDT 2011 

[Please CC me if possible; I am not subscribed to this list.]

I'm having trouble blacklisting client certificates in my otherwise-
working hostapd WPA2 EAP-TLS setup, using hostapd's internal RADIUS
implementation.  Specifically, hostapd seems to be ignoring the CRL.

I'm really hoping someone can tell me what I'm doing wrong here, because
if I can't blacklist compromised client certificates, I'm gonna have to
pick PSK or some other EAP.

I have already asked the OpenWRT community for help, but I seem to be
the only OpenWRT user using EAP-TLS at all, let alone with a CRL.  I
also checked this list's archive, but could only see a couple of
CRL-related emails.

The AP runs OpenWRT 10.03.1-rc4 (ARM), running hostapd "20100705-1":

    root at widow:~# opkg update
    Downloading http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/Packages.gz.
    Inflating http://downloads.openwrt.org/backfire/10.03.1-rc4/ar71xx/packages/Packages.gz.
    Updated list of available packages in /var/opkg-lists/packages.
    root at widow:~# opkg list hostapd
    hostapd - 20100705-1 - This package contains a full featured IEEE 802.1x/WPA/EAP/RADIUS
     Authenticator.
    root at widow:~# hostapd -v
    hostapd v0.8.x
    User space daemon for IEEE 802.11 AP management,
    IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
    Copyright (c) 2002-2010, Jouni Malinen <j at w1.fi> and contributors

You can find its source here.  I don't know if this includes the
OpenWRT-specific patches (if any):

    http://downloads.openwrt.org/sources/hostapd-20100705.tar.bz2

The client is Debian Unstable (x86-64), running wpa_supplicant 0.7.3-3:

    root at dali:~# wpa_supplicant -v
    wpa_supplicant v0.7.3
    Copyright (c) 2003-2010, Jouni Malinen <j at w1.fi> and contributors

Here is the hostapd config file:

    ctrl_interface=/var/run/hostapd-phy0
    driver=nl80211
    wmm_ac_bk_cwmin=4
    wmm_ac_bk_cwmax=10
    wmm_ac_bk_aifs=7
    wmm_ac_bk_txop_limit=0
    wmm_ac_bk_acm=0
    wmm_ac_be_aifs=3
    wmm_ac_be_cwmin=4
    wmm_ac_be_cwmax=10
    wmm_ac_be_txop_limit=0
    wmm_ac_be_acm=0
    wmm_ac_vi_aifs=2
    wmm_ac_vi_cwmin=3
    wmm_ac_vi_cwmax=4
    wmm_ac_vi_txop_limit=94
    wmm_ac_vi_acm=0
    wmm_ac_vo_aifs=2
    wmm_ac_vo_cwmin=2
    wmm_ac_vo_cwmax=3
    wmm_ac_vo_txop_limit=47
    wmm_ac_vo_acm=0
    tx_queue_data3_aifs=7
    tx_queue_data3_cwmin=15
    tx_queue_data3_cwmax=1023
    tx_queue_data3_burst=0
    tx_queue_data2_aifs=3
    tx_queue_data2_cwmin=15
    tx_queue_data2_cwmax=63
    tx_queue_data2_burst=0
    tx_queue_data1_aifs=1
    tx_queue_data1_cwmin=7
    tx_queue_data1_cwmax=15
    tx_queue_data1_burst=3.0
    tx_queue_data0_aifs=1
    tx_queue_data0_cwmin=3
    tx_queue_data0_cwmax=7
    tx_queue_data0_burst=1.5
    hw_mode=g
    channel=11

    ieee80211n=1
    ht_capab=[HT20][SHORT-GI-40][DSSS_CCK-40]
    interface=wlan0
    eap_server=1
    eap_user_file=/etc/hostapd/users
    server_cert=/etc/hostapd/hostapd.crt
    private_key=/etc/hostapd/hostapd.key
    ieee8021x=1
    wpa_key_mgmt=WPA-EAP
    wpa_group_rekey=300
    wpa_gmk_rekey=640
    auth_algs=1
    wpa=2
    wpa_pairwise=CCMP
    ssid=cyber
    bridge=br-lan
    wmm_enabled=1
    bssid=54:e6:fc:dc:d4:dc
    ignore_broadcast_ssid=0

    ca_cert=/etc/hostapd/cacrl.crt
    check_crl=1

Here is the cacrl.crt file, it revokes client cert 4dcb9cf5:

    -----BEGIN CERTIFICATE-----
    MIIDlzCCAoGgAwIBAgIETZGIaDALBgkqhkiG9w0BAQUwWjELMAkGA1UEBhMCQVUx
    GzAZBgNVBAoTEkN5YmVyIElUIFNvbHV0aW9uczERMA8GA1UECBMIVmljdG9yaWEx
    GzAZBgNVBAMTEkN5YmVyIElUIFNvbHV0aW9uczAeFw0xMTAzMjkwNzIxMTJaFw0x
    NjAzMjcwNzIxMTJaMFoxCzAJBgNVBAYTAkFVMRswGQYDVQQKExJDeWJlciBJVCBT
    b2x1dGlvbnMxETAPBgNVBAgTCFZpY3RvcmlhMRswGQYDVQQDExJDeWJlciBJVCBT
    b2x1dGlvbnMwggEfMAsGCSqGSIb3DQEBAQOCAQ4AMIIBCQKCAQDle4EzfINgMf7b
    v/edD19gArdKw/01CQ4vLf/HsO1wOmpMa6XMO/t0Raprtjeizz58Gw6lU+mjeAU2
    q7tJT4nPDHc3D5a0eYdUIpbL2d3LHNY9q+dXwx0DH1+bwLPSeiLgTedO/vsIQI14
    GNymRFDoQT7R5yn3QXi+Nl4hHQxMMEp4Gvk7V1xPrenRoyvhmnswfNAX1G6AU9p8
    AgusjoFrIlahIHKWQMJlJ6unewFV0gC/bjvB9o10X0RKTCd42P4IjnzHG/ybKDBT
    70QqZpqCgnW9UEKXF4M3k561YjwU96wAIxJv0MtKurmO1XX5TRGZODCLsupdXcDG
    47vzkmjNAgMBAAGjbDBqMA8GA1UdEwEB/wQFMAMBAf8wJwYDVR0lBCAwHgYIKwYB
    BQUHAwMGCCsGAQUFBwMJBggrBgEFBQcDCDAPBgNVHQ8BAf8EBQMDBwYAMB0GA1Ud
    DgQWBBR3cRKQZhquqw6uZpycxMUlN4HJhzALBgkqhkiG9w0BAQUDggEBANdeu/Qy
    poJE4R1z4tBZyky2ATVtdMVHVIhw2sEml+UBLpRlvTvc3zC4c7kcDpvJl8eHilKZ
    rmyypoCofIfUW3OyOt8B20PRbcZjC4bbo5ZZAXiJAwEZdgu4JRcOQIDKEY5A/Idt
    jNFMDUqqTe3tN+u/SEFHSB1XUjVxJ+NU2f5KZA3JH3K0HKpuwdq9w9fCRETc1TWY
    zFI5VUI5rm98179BfP9TYaFWxJE7Ps5VIHzO47BCVPZzAE/V/L/NC78FUylAm7hX
    Up60BufNCcO6UIJtiTYBJ20TF1J9OVm/84/A4ef5lfxrDVVNqBcwDwMmG1FxZ2w0
    hjHXwBGqbvatSOQ=
    -----END CERTIFICATE-----
    -----BEGIN X509 CRL-----
    MIIB6TCB1AIBATALBgkqhkiG9w0BAQUwWjELMAkGA1UEBhMCQVUxGzAZBgNVBAoT
    EkN5YmVyIElUIFNvbHV0aW9uczERMA8GA1UECBMIVmljdG9yaWExGzAZBgNVBAMT
    EkN5YmVyIElUIFNvbHV0aW9ucxcNMTEwOTE1MDkwMDA3WhcNMjEwOTEyMDkwMDA3
    WjAXMBUCBE3LnPUXDTExMDkxNTA5MDAwN1qgLzAtMB8GA1UdIwQYMBaAFHdxEpBm
    Gq6rDq5mnJzExSU3gcmHMAoGA1UdFAQDAgEAMAsGCSqGSIb3DQEBBQOCAQEAJC+F
    5CatLrp7WBr2siXIKkACy5L9/79hcU/XI/PcLYZYy88IdGms+z3j1c7KA+zwsTTd
    wSXzc2RSnKMPou55goqRzrbRjBT692uGQPDxqlw3cn51N3B7q5Lf3t1jhf9QZpnb
    CElyjUPTZ6yAxJMMgV7BmQ9KWyoHGZU48lEhIYbxjAmPtgOpYReUbIyPZ6IZTeT4
    6nkdCdYL7cRLxNHqgkQVLh9NosD+69cdYVZ5g9Yc5zb59uQo6Ro5RHL3nbpqbZgY
    uMRDXYGdoAL5YpMwrcs9Qs0WAbDIDfYHJr6PkNAfphmBN9XOyPAq4nSyn5FcgB1A
    FuYIfgNr2Jr2H712MA==
    -----END X509 CRL-----

That serial (4dcb9cf5) corresponds to the one used on the Debian client
(sorry, I won't attach that cert):

    root at dali:~# certtool -i </etc/wpa_supplicant/dali.crt | grep 4dcb9cf5
            Serial Number (hex): 4dcb9cf5

Here is the output of hostapd without -d's, showing the client
successfully connecting despite the CRL:

    root at widow:~# hostapd /var/run/hostapd-phy0.conf
    Configuration file: /var/run/hostapd-phy0.conf
    Using interface wlan0 with hwaddr 54:e6:fc:dc:d4:dc and ssid 'cyber'
    wlan0: STA 1c:4b:d6:81:b6:18 IEEE 802.11: authenticated
    wlan0: STA 1c:4b:d6:81:b6:18 IEEE 802.11: associated (aid 1)
    CTRL-EVENT-EAP-STARTED 1c:4b:d6:81:b6:18
    CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
    CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
    CTRL-EVENT-EAP-SUCCESS 1c:4b:d6:81:b6:18
    wlan0: STA 1c:4b:d6:81:b6:18 WPA: pairwise key handshake completed (RSN)
    AP-STA-CONNECTED 1c:4b:d6:81:b6:18
    wlan0: STA 1c:4b:d6:81:b6:18 RADIUS: starting accounting session 4E71C3D6-00000000
    wlan0: STA 1c:4b:d6:81:b6:18 IEEE 802.1X: authenticated - EAP type: 0 ((null))

Attached are hostapd transcripts of more successful connections, with
debugging turned on, with check_crl=1 (as above), and with that line
commented out of the .conf file.  As you can see, they look to be
identical -- as if hostapd isn't even parsing the CRL.

<elided so mailman won't hold for moderation for being too big>

Here is what the client sees:

    root at dali:~# wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf
    ioctl[SIOCSIWENCODEEXT]: Invalid argument
    ioctl[SIOCSIWENCODEEXT]: Invalid argument
    Trying to associate with 54:e6:fc:dc:d4:dc (SSID='cyber' freq=2462 MHz)
    Associated with 54:e6:fc:dc:d4:dc
    CTRL-EVENT-EAP-STARTED EAP authentication started
    CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
    OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
    OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib
    OpenSSL: pending error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
    OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
    OpenSSL: pending error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
    OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
    OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
    OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib
    CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
    CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=AU/O=Cyber IT Solutions/ST=Victoria/CN=Cyber IT Solutions'
    CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=AU/O=Cyber IT Solutions/ST=Victoria/CN=cyber'
    CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
    WPA: Key negotiation completed with 54:e6:fc:dc:d4:dc [PTK=CCMP GTK=CCMP]
    CTRL-EVENT-CONNECTED - Connection to 54:e6:fc:dc:d4:dc completed (auth) [id=0 id_str=]
    CTRL-EVENT-DISCONNECTED bssid=54:e6:fc:dc:d4:dc reason=0
    ioctl[SIOCSIWENCODEEXT]: Invalid argument
    ioctl[SIOCSIWENCODEEXT]: Invalid argument
    Trying to associate with 54:e6:fc:dc:d4:dc (SSID='cyber' freq=2462 MHz)
    ^CCTRL-EVENT-TERMINATING - signal 2 received

PS: from past experience with with SSL issues (OpenLDAP), my first guess
is that OpenWRT's hostapd is compiled against GnuTLS (unconfirmed), and
it will Just Work after recompiling against OpenSSL.

More information about the Hostap mailing list