Fw: EAP-TLS problem

Bryan Kadzban bryan at kadzban.is-a-geek.net
Wed Jun 13 07:12:55 EDT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

shantanu choudhary wrote:
> root.pem is CA certificate which is self signed and shan.pem is
> client certificate signed by this root.pem or i can say from same CA.

That sounds like it should be OK.  But what CA has signed your RADIUS
server's certificate?  If it's a different CA than root.pem, then you
need to put that CA's cert into the ca_cert option.

In other words, I don't think there's a problem with your *client's*
cert.  I think there's a problem with your *server's* cert.

> yesterday to make it work i just copied this root.pem to 
> /etc/pki/tls/certs/ after that my client side program stops after 
> showing this, before this it was showing that error of failed 
> verification.

I think you probably need to remove this file from that directory then,
to stop it from segfaulting.  If anything should go in that directory,
it should be the RADIUS server's cert -- but it would be better to use
the ca_cert option instead.  That way you don't add extra certs to the
list that your browser trusts (for instance).

> Now sir i tried for EAP-TTLS with MD5 for phase two along with same 
> root certificate there i am getting success message and getting 
> connected.

I assume you had to change the RADIUS configuration before doing this,
right?  Depending on which RADIUS server you're using, you may want to
double-check that it's using the same cert for TTLS as it's using for TLS.

If it is using the same cert for both, then the problem isn't that cert
or the way the client trusts it.  In that case, I'm not sure what's
going on.  Maybe you've already done this, but it may help to post a
higher-debug-level output from one of these TLS sessions where it gives
you the verification error.  Add -dd to the wpa_supplicant command line.

(I probably won't be able to figure out what's going on, but others might.)

> why i am getting success in EAP-TTLS and segmentation fault in 
> EAP-TLS, where my client is failing at spot which i can cross with 
> other configuration.

Not sure on the segfault, but if removing your root.pem from the pki
directory fixes it, I'd say do that.  As for why TTLS works and TLS
doesn't, one possible reason (detailed above) is the server cert.  Not
sure of any other possible reasons.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGb9E2S5vET1Wea5wRA6EIAKCZ37YCnA1+LxTLyn1JfZfpSJIzVQCgtgjG
s+455Kd4p51UxgOvrRUT7R0=
=M81L
-----END PGP SIGNATURE-----



More information about the HostAP mailing list