wpa_supplicant using EAP-TTLS problem

Bryan Kadzban bryan at kadzban.is-a-geek.net
Fri Nov 9 18:34:27 EST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

王奕元 wrote:
> Following is my step:
> [at RADIUS SERVER]
> # openssl genrsa 1024 > host.key
> # openssl req  -new -x509 -nodes -days 1000 -key host.key > host.cert
> Then, I fill my information.
> # copy host.cert /usr/local/etc/raddb/certs/demoCA/capert.pem

So far so good, I think...

> [at host]
> I copy the host.cert from RADIUS SERVER.
> # cp host.cert /etc/certs/ca.pem
> # wpa_supplicant -i ath0 -c eap-ttls.conf

I assume your eap-ttls.conf file listed /etc/certs/ca.pem as the ca_cert
option, right?

> Then, the screen shows error message:
> TLS: Certificate verification failed, error 20 (unable to get local issuer
> certificate) depth 0 for '/C=CA/ST=Province/L=Some
> City/O=Organization/OU=localhost/CN=root
> certificate/emailAddress=root at example.com'

Can you post more of the output?  Run wpa_supplicant with the -dd option
as well, and post the whole thing.

> I had checked my certificates by "openssl verify -issuer_checks ca.pem",
> both RADIUS SERVER and host have the same result.
> The result is:
> ca.pem:
> /C=TW/ST=Taiwan/L=Chiayi/O=CN/CN=dadai/emailAddress=testuser at example.org
> error 18 at 0 depth lookup:self signed certificate
> OK

That's not the same cert as the one that wpa_supplicant is getting.  The
country is set to TW here, while the cert DN that wpa_supplicant printed
has the country set to CA.  Do you have to restart the RADIUS server to
get it to re-read the cert, perhaps?  Or did you expect the DN to start
with "C=CA"?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHNO6CS5vET1Wea5wRAz3+AJ9V5OoSPTWroWVGUktYG+0vK/QzHQCggPiG
druvrSQfgh/n3HEmNjSP0Kc=
=qP40
-----END PGP SIGNATURE-----



More information about the HostAP mailing list