Problem authenticating WPA2 network: OpenSSL rejects certificate

Berend Dekens wpa at cyberwizzard.nl
Tue Oct 5 08:13:10 EDT 2010


 I am using a university network called Eduroam which is a WPA2 network
with EAP and TTLS and PAP inner authentication. When I provide the
ca_cert (and/or ca_cert2) option, WPA supplicant fails:

Trying to associate with 00:1c:58:f1:52:02 (SSID='eduroam' freq=2437 MHz)
Associated with 00:1c:58:f1:52:02
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
TLS: Certificate verification failed, error 19 (self signed certificate
in certificate chain) depth 2 for '/C=US/O=GTE Corporation/OU=GTE
CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'
CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=2 subject='/C=US/O=GTE
Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global
Root' err='self signed certificate in certificate chain'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed

When I ommit the option, authentication works as expected:
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=GTE Corporation/OU=GTE
CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'
CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=GTE Corporation/OU=GTE
CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'
CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/O=Cybertrust
Inc/CN=Cybertrust SureServer Standard Validation CA'
CTRL-EVENT-EAP-PEER-CERT depth=0
subject='/C=NL/ST=OV/L=Enschede/O=University of
Twente/OU=ICTS/emailAddress=radius-certificate at utwente.nl/CN=radius.utwente.nl'
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
WPA: Key negotiation completed with 00:07:0e:15:a7:41 [PTK=CCMP GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 00:07:0e:15:a7:41 completed (auth)
[id=4 id_str=]

The problem is that the GUI always inserts the ca_cert value so I am
currently forced to set up my wifi by hand.

I am confused as to what is failing, according to the manual, the
ca_cert should point to a folder or file holding the trusted CA. So why
is wpa_supplicant complaining about not being able to validate the
certificate? It *is* the CA...

I tried setting the ca_cert value to the system cert folder, the
explicit certificate (GTE_CyberTrust_Global_Root.pem) or any of the CA
bundles I could find on my computer. Nothing works.

Is this a bug in wpa_supplicant or am I setting it up wrong?

FYI: The GUI I would otherwise use is the NetworkManager applet from KDE
4.5.1.

Regards,
Berend Dekens



More information about the HostAP mailing list