<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
Hello Malinen,<BR>
Thank you for your reply.<BR>
the hostapd version I used is 0.6.9, and the version of openssl is 0.9.8i, and How can I confirm if the SHA256 is enable or not?<BR>
I will use the newer openssl to try. <BR>
But I'm confuzed that the freeradius 2.1.6 combined with the openssl 0.9.8i is ok for the eap-tls.<BR>
<BR>
Regards,<BR>
Yan<BR>
<BR>
<BR> <BR>
> Date: Sat, 2 Apr 2011 13:51:26 +0300<BR>> From: j@w1.fi<BR>> To: hostap@lists.shmoo.com<BR>> Subject: Re: EAP-TLS server issue<BR>> <BR>> On Sat, Apr 02, 2011 at 03:20:56AM +0000, Ñå ÕÅ wrote:<BR>> > I have a problem about EAP-TLS connection with Hostapd. the error happens when the server verify<BR>> > the device certificate.<BR>> > the log of hostapd is as following:<BR>> <BR>> > TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) depth=2 buf='/C=US/O=WiMAX Forum(R)/CN=WiMAX Forum(R) Device Root - CA1'<BR>> > TLS: Certificate verification failed, error 7 (certificate signature failure) depth 1 for '/C=CN/O=SyChip Shanghai Co., Ltd./OU=WiMAX Forum(R) Devices/CN=ENG'<BR>> > SSL: (where=0x4008 ret=0x233)<BR>> > SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error<BR>> > SSL: (where=0x2002 ret=0xffffffff)<BR>> > SSL: SSL_accept:error in SSLv3 read client certificate B<BR>> > OpenSS
L: tls_connection_server_handshake - SSL_accept error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm<BR>> > OpenSSL: pending error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned<BR>> <BR>> That is OpenSSL saying that it does not support the hash algorithm used<BR>> in the certificate. Which OpenSSL version are you using? And which<BR>> hostapd version? At least some version combinations may not enable<BR>> SHA256-based digests. Newer OpenSSL version may enabled that by default<BR>> and the current hostapd snapshot is also forcing SHA256 to be enabled.<BR>> <BR>> -- <BR>> Jouni Malinen PGP id EFC895FA<BR>> _______________________________________________<BR>> HostAP mailing list<BR>> HostAP@lists.shmoo.com<BR>> http://lists.shmoo.com/mailman/listinfo/hostap<BR> </body>
</html>