Problem authenticating WPA2 network: OpenSSL rejects certificate

Berend Dekens wpa at
Wed Oct 6 08:23:30 EDT 2010

 On 06/10/10 13:45, Berend Dekens wrote:
>  On 05/10/10 20:31, Jouni Malinen wrote:
>> wpa_supplicant does not have much control on this part when using
>> OpenSSL.. Maybe your OpenSSL build has some options that disallows this
>> particular certificate for some reason. For example, disabling use of
>> MD5 as certificate hash algorithm would be good from security view
>> point, but it would result in number of interop issues with old root
>> certificates that are still in use.
> I verified the certificate with openssl and rebuild openssl with every
> option available (and ofcourse recompiled wpa_supplicant afterwards).
> Nothing helped.
> This bug is known in Ubuntu as
> and others have it as well. This italian user found the same 'solution'
> as I did: disable the verification altogether by removing the ca_cert
> option:
> Since OpenSSL attempts to verify the certificate itself (which is
> impossible as it is the root CA), it looks to me like a bug in
> wpa_supplicant or OpenSSL. Afaik it is impossible to verify a root CA
> certificate as there is nobody able to 'claim' the certificate as being
> signed by them.
> _______________________________________________
> HostAP mailing list
> HostAP at
I just found a solution after I found out that OpenSSL is preferred over
GnuTLS (when available). Since OpenSSL kept throwing a tantrum, I
decided to disable OpenSSL entirely and include GnuTLS instead.

Lo and behold: it works! So I'd say there is some serious problem in
OpenSSL that prevents root certificates being accepted as such. Is this
a known issue?

Berend Dekens

More information about the HostAP mailing list