Problem authenticating WPA2 network: OpenSSL rejects certificate

Jouni Malinen j at
Tue Oct 5 08:32:31 EDT 2010

On Tue, Oct 05, 2010 at 02:13:10PM +0200, Berend Dekens wrote:
>  I am using a university network called Eduroam which is a WPA2 network
> with EAP and TTLS and PAP inner authentication. When I provide the
> ca_cert (and/or ca_cert2) option, WPA supplicant fails:

ca_cert2 would not be applicable for EAP-TTLS/PAP.

> SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
> OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL

Are you use the certificate you configured is the correct one for the
chain used for the authentication server certificate?

> The problem is that the GUI always inserts the ca_cert value so I am
> currently forced to set up my wifi by hand.

Well, that is not the problem.. Not setting ca_cert would be a problem
since with that, the server would not get authenticated at all and you
could as well be sending out your username/password in clear to anyone
who asks..

> I am confused as to what is failing, according to the manual, the
> ca_cert should point to a folder or file holding the trusted CA. So why
> is wpa_supplicant complaining about not being able to validate the
> certificate? It *is* the CA...

It sounds like the certificate file you are using may not match with the
certificate chain provided by the authentication server. Without seeing
the actual certificates, it is difficult to say whether that is indeed
the case, though.

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list