Certificate verification failed, error 19 (self signed certificate in certificate chain)

[TianHong Zhao]

Hi,

 

I'm using a supplicant based on wpa 0.6.8, when using EAP-TLS to verify
server's certificate, I got an error like:

 

>> SSL: SSL_connect:SSLv3 read server hello A

>> TLS: Certificate verification failed, error 19 (self signed
certificate in certificate chain) depth 1 for '/C=US/O=Motorola,
Inc./OU=WiMAX Device Certificate Authority/CN=Motorola WiMAX Device Root
CA'

>> SSL: (where=0x4008 ret=0x230)

>> SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown
CA

>> SSL: (where=0x1002 ret=0xffffffff)

>> SSL: SSL_connect:error in SSLv3 read server certificate B

>> OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

 

 

The "ca_cert" I use at the client is a blob-type (directly taken from a
PEM file without lines -BEGIN-and -END--), which

Is a self-signed CA with Extensions item "certificate Basic Constraints"
as:

 

Critical

Is a Certificate Authority

Maximum number of intermediate CAs: unlimited

 

I have the following questions: 

 

 

1.	What might cause the above error?
2.	Does wpa's blob-type ca_cert support self-signed CA with
"Critical basic constraints"? ( on a separate test with another
self-signed key with non-critical basic constraints", it seems to work).
3.	If I have two CAs, how can I use bob to store them?

 

The attached is the detailed log from the supplicant.

 

Thanks

 

Tianhong

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20090429/350fbf9c/attachment.htm 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: eap_tls.txt
Url: http://lists.shmoo.com/pipermail/hostap/attachments/20090429/350fbf9c/attachment.txt