Problem authenticating WPA2 network: OpenSSL rejects certificate

Berend Dekens wpa at cyberwizzard.nl
Wed Oct 6 08:23:30 EDT 2010


 On 06/10/10 13:45, Berend Dekens wrote:
>  On 05/10/10 20:31, Jouni Malinen wrote:
>> wpa_supplicant does not have much control on this part when using
>> OpenSSL.. Maybe your OpenSSL build has some options that disallows this
>> particular certificate for some reason. For example, disabling use of
>> MD5 as certificate hash algorithm would be good from security view
>> point, but it would result in number of interop issues with old root
>> certificates that are still in use.
> I verified the certificate with openssl and rebuild openssl with every
> option available (and ofcourse recompiled wpa_supplicant afterwards).
> Nothing helped.
>
> This bug is known in Ubuntu as
> https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/284409
> and others have it as well. This italian user found the same 'solution'
> as I did: disable the verification altogether by removing the ca_cert
> option: http://www.slacky.eu/forum/viewtopic.php?p=232793
>
> Since OpenSSL attempts to verify the certificate itself (which is
> impossible as it is the root CA), it looks to me like a bug in
> wpa_supplicant or OpenSSL. Afaik it is impossible to verify a root CA
> certificate as there is nobody able to 'claim' the certificate as being
> signed by them.
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
I just found a solution after I found out that OpenSSL is preferred over
GnuTLS (when available). Since OpenSSL kept throwing a tantrum, I
decided to disable OpenSSL entirely and include GnuTLS instead.

Lo and behold: it works! So I'd say there is some serious problem in
OpenSSL that prevents root certificates being accepted as such. Is this
a known issue?

Regards,
Berend Dekens


More information about the HostAP mailing list