wpa_supplicant + hostapd + RADIUS --> NO WPA/RSN IE

Andrea G Forte andreaf at cs.columbia.edu
Mon Feb 6 19:21:20 EST 2006


Yes, it was indeed the firmware.
Now everything seems to work with RADIUS. However there seems to be a 
small bug in the wpa_supplicant or perhaps it is done on purpose for 
some reason.
The "error" I get is:

EAP: initialize selected EAP method (13, TLS)
TLS: Trusted root certificate(s) loaded
*OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) 
failed error:140CB07C:SSL routines:SSL_use_PrivateKey_file:bad ssl filetype*
*OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (PEM) 
failed error:0906D06C:PEM routines:PEM_read_bio:no start line*
*OpenSSL: pending error: error:140CB009:SSL 
routines:SSL_use_PrivateKey_file:PEM lib*
TLS: Successfully parsed PKCS12 file 
'/root/wireless/radius/freeradius-1.0.0-pre2/scripts/cert-clt.p12'
TLS: Got certificate from PKCS12: subject='/C=US/ST=New 
York/L=Brooklyn/O=Columbia/CN=andrea/emailAddress=andreaf at cs.columbia.edu'
TLS: Got private key from PKCS12
OpenSSL: Reading PKCS#12 file --> OK
SSL: Private key loaded successfully
CTRL-EVENT-EAP-METHOD EAP method 13 (TLS) selected
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-TLS: Start

It seems that even though I have set cert-clt.p12 file in the wpa config 
file, the application still says to openssl to look for .der and .pem 
files and only *after* it looks in the correct file (p12). Shouldn't it 
be the opposite? Shouldn't wpa_supplicant tell to check the p12 file 
first as specified in the config file and if it does not find it then 
look in the other files?

The relevant part of my config file is as follows:

# private_key: File path to client private key file (PEM/DER/PFX)
#       When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
#       commented out. Both the private key and certificate will be read 
from
#       the PKCS#12 file in this case.


network={
       ssid="test"
       proto=RSN
       key_mgmt=WPA-EAP
       pairwise=CCMP
       auth_alg=OPEN
       eap=TLS
       identity="andrea"
       
ca_cert="/root/wireless/radius/freeradius-1.0.0-pre2/scripts/demoCA/cacert.pem"
       
private_key="/root/wireless/radius/freeradius-1.0.0-pre2/scripts/cert-clt.p12"
       private_key_passwd="whatever"
       priority=5
}

Thank you,
Andrea



Jar wrote:

> Andrea G Forte wrote:
>
>> Any idea on what the problem might be? Do I need to update the firmware?
>
>
> Yes I think so, you will need at least station firmware 1.7.0. But 
> good choice would be update to v1.1.1 (primary) and v1.7.4 (secondary).
>




More information about the HostAP mailing list