EAP TLS failure - bad certificate?

Jouni Malinen jkmaline
Mon Jan 8 06:39:39 PST 2007


On Mon, Jan 08, 2007 at 01:27:53PM +0200, Bar, Eitan wrote:

> While trying to integrate and test TLS using my WLAN driver, I encountered an error regarding the certificate file.

Can you please describe what exactly you mean with "an error" here? How
does this show up? Does it prevent authentication? Do you have a debug
log showing this?

> The connection itself fails after the radius sends its certificate.

Please send a debug log showing the output from wpa_supplicant..

> When I run "openssl verify -CAfile my_new_root.pem eitan_my.cer" (NOT on the target platform), I get: "eitan_my.cer: OK". 
> Does this mean the certificate is ok?

Well, it means that it is more likely to be ok ;-).

> Suspicious log from wpa_supplicant (when reading the root certificate
> ------------------------------------------------------------------------
> 
> TLS: Trusted root certificate(s) loaded

CA cert was loaded without problems here..

> OpenSSL: tls_connection_client_cert - SSL_use_certificate_file (DER) failed error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
> OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib
> OpenSSL: SSL_use_certificate_file (PEM) --> OK

wpa_supplicant tried to read client cert first as a DER file and that
failed, but reading it as a PEM file was successful.

> OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed error:0D094065:asn1 encoding routines:d2i_ASN1_SET:bad class
> OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
> OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
> OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib
> OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK
> SSL: Private key loaded successfully

And same for the client private key.

In other words, no problems in loading the keys/certs.

-- 
Jouni Malinen                                            PGP id EFC895FA




More information about the Hostap mailing list