wpa_supplicant using EAP-TTLS problem

王奕元 dadai.cm91 at gmail.com
Thu Nov 8 02:18:55 EST 2007


As you say,
I don't have CA file.
How should I do if I use EAP-TTLS authentication?
Now I'm blocked by the ca.pem problem.

I had tried four methods.
First,
I just created /etc/certs directory, without ca.pem in it.
the result is:
 OpenSSL: tls_connection_ca_cert - Failed to load root certificates
error:02001002:system library:fopen:No such file or directory
OpenSSL: pending error: error:2006D080:BIO routines:BIO_new_file:no such
file
OpenSSL: pending error: error:0B084002: x509 certificate
routines:X509_load_cert_crl_file:system lib
OpenSSL: tls_load_ca_der - Failed load CA in DER format
error:02001002:system library:fopen:No such file of directory
OpenSSL: pending error: error:20074002:BIO routines:FILE_CTRL:system lib
OpenSSL: pending error: error:0B06F002:x509 certificate
routines:X509_load_cert_file:system lib
TLS: Failed to set TLS connection parameters
EAP-TTLS: Failed to initialize SSL.

Second,
I created an empty file named ca.pem and placed it in /etc/certs/.
the result is:
OpenSSL: tls_connection_ca_cert - Failed to load root certificates
error:00000000:lib(0):func(0):reason(0)
OpenSSL: tls_load_ca_der - Failed load CA in DER format error:0D07207B:asn1
encoding routines:ASN1_get_object:header too long
OpenSSL: pending error: error:0B06F00D:x509 certificate
routines:X509_load_cert_file:ASN1 lib
 TLS: Failed to set TLS connection parameters
EAP-TTLS: Failed to initialize SSL.

Third,
I copied the /usr/share/doc/perl-IO-Socket-SSL-1.01/certs/my-ca.pem to
/etc/certs/
and the result is:
TLS: Certificate verification failed. error 19 (self signed certificate in
certificate chain) depth 1 for '/C=CA/ST=Province/L=Some
City/0=0rganization/OU=localhost/CN=Client
certificate/emailAddress=client at example.com'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed

Forth,
I copied the RADIUS Server's certs/demoCA/cacert.pem, and placed it in my
host's /etc/certs
and the result is:
TLS: Certificate verification failed, error 10 (certificate has expired)
depth 1 for '/C=CA/ST=Province/L=Some
City/O=Organization/OU=localhost/CN=Client
certificate/emailAddress=client at example.com'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:certificate
expired
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20071108/170e2513/attachment.htm 


More information about the HostAP mailing list