HostAP EAP-TLS

[why]

 Hi,all. I want to use hostap for WPA EAP-TLS. Here is my .conf file:
interface=wlan3
bridge=br0
driver=nl80211
ssid=NormalAP
hw_mode=g
channel=13
ieee8021x=1
eapol_version=1
eap_server=1
eap_user_file=/home/wlan/wlan/hostapd-wpa-tls-tkip/hostapd/hostapd-ap.eap_user
ca_cert=/etc/ssl/demoCA/newcerts/cacert.pem
server_cert=/etc/ssl/demoCA/newcerts/APcert.pem
private_key=/etc/ssl/demoCA/newcerts/serverkey.prv
private_key_passwd=wlanwlan
#dh_file=/etc/ssl/hostapd.dh.pem
wpa=1
wpa_key_mgmt=WPA-EAP
wpa_pairwise=TKIP

But the hostap can not derive the key, here is the error message:
 EAP-TLS: CONTINUE -> SUCCESS
EAP: EAP entering state SEND_REQUEST
EAP: EAP entering state IDLE
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: 00:14:78:71:42:67 BE_AUTH entering state REQUEST
wlan3: STA 00:14:78:71:42:67 IEEE 802.1X: Sending EAP Packet (identifier 166)
IEEE 802.1X: 00:14:78:71:42:67 TX status - version=1 type=0 length=49 - ack=1
IEEE 802.1X: 10 bytes from 00:14:78:71:42:67
   IEEE 802.1X: version=1 type=0 length=6
EAP: code=2 identifier=166 length=6
 (response)
wlan3: STA 00:14:78:71:42:67 IEEE 802.1X: received EAP packet (code=2 id=166 len=6) from STA: EAP Response-TLS (13)
IEEE 802.1X: 00:14:78:71:42:67 BE_AUTH entering state RESPONSE
EAP: EAP entering state RECEIVED
EAP: parseEapResp: rxResp=1 respId=166 respMethod=13 respVendor=0 respVendorMethod=0
EAP: EAP entering state INTEGRITY_CHECK
EAP: EAP entering state METHOD_RESPONSE
SSL: Received packet(len=6) - Flags 0x00
SSL: Received packet: Flags 0x0 Message Length 0
EAP-TLS: Client acknowledged final TLS handshake message
EAP-TLS: Failed to derive key

I use similiar conf file for the WPA2 EAP-TLS, it is OK. Where is problem? Thank you!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20120523/d13ce4ae/attachment.htm