Certificate verification failed, error 19 (self signed certificate in certificate chain)

TianHong Zhao tzhao
Wed Apr 29 11:22:25 PDT 2009



I'm using a supplicant based on wpa 0.6.8, when using EAP-TLS to verify
server's certificate, I got an error like:


>> SSL: SSL_connect:SSLv3 read server hello A

>> TLS: Certificate verification failed, error 19 (self signed
certificate in certificate chain) depth 1 for '/C=US/O=Motorola,
Inc./OU=WiMAX Device Certificate Authority/CN=Motorola WiMAX Device Root

>> SSL: (where=0x4008 ret=0x230)

>> SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown

>> SSL: (where=0x1002 ret=0xffffffff)

>> SSL: SSL_connect:error in SSLv3 read server certificate B

>> OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed



The "ca_cert" I use at the client is a blob-type (directly taken from a
PEM file without lines -BEGIN-and -END--), which

Is a self-signed CA with Extensions item "certificate Basic Constraints"



Is a Certificate Authority

Maximum number of intermediate CAs: unlimited


I have the following questions: 



1.	What might cause the above error?
2.	Does wpa's blob-type ca_cert support self-signed CA with
"Critical basic constraints"? ( on a separate test with another
self-signed key with non-critical basic constraints", it seems to work).
3.	If I have two CAs, how can I use bob to store them?


The attached is the detailed log from the supplicant.







-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20090429/350fbf9c/attachment.htm 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: eap_tls.txt
Url: http://lists.shmoo.com/pipermail/hostap/attachments/20090429/350fbf9c/attachment.txt 

More information about the Hostap mailing list