Fwd: WPA_SUPPLICANT : Issues with supplicant when TLS configured to internal TLSv1

Jouni Malinen j at w1.fi
Mon Oct 14 13:38:16 EDT 2013

On Tue, Oct 08, 2013 at 11:02:52AM +0530, Karunakar Reddy wrote:
> As per our previous findings came to know that wpa_supplicant has an
> internal TLS support which is enabled when  *CONFIG_TLS* is configured to *
> internal*.Able to set the TLS to internal in config file and build
> it successfully.When tried to associate with an AP which is configured to
> EAP-TLS method, it fails during EAP-TLS conversation.The wpa_supplciant
> fails to send response with
> client_hello handshake message for EAP_START request from AUTHENTICATOR
> (hostapd radius server). From the debug logs  came to know that it is
> failing to parse the private key.We tried changing the formats of the
> certificates(.der and .pem), but didn't help.

The internal TLS implementation has somewhat limited support for
different private key formats. For example, it does not support any of
the legacy OpenSSL formats. What kind of format do you use with DER/PEM
encoding? (E.g., what header info is used in the PEM file?)

> *1381135499.884944: PKCS #8: Expected zero INTEGER in the beginning of
> private key; not found; assume PKCS #8 not used*
> *1381135499.884947: PKCS #8: Expected SEQUENCE (AlgorithmIdentifier) -
> found class 0 tag 0x2; assume encrypted PKCS #8 not used*
> *1381135499.884950: Trying to parse PKCS #1 encoded RSA private key*
> *1381135499.884953: RSA: Expected zero INTEGER in the beginning of private
> key; not found*
> *1381135499.885092: TLSv1: Failed to parse private key*

Those PKCS #8 and #1 would be the alternatives that are supported.. If
you are using something else, that is unlikely to work.

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list