Modify

Opened 6 years ago

Last modified 4 years ago

#11111 new defect

wpa_supplicant and 802.1x authentification with certificate fails with internal tls provider

Reported by: josias@… Owned by: developers
Priority: response-needed Milestone: Barrier Breaker 14.07
Component: packages Version: 10.03.1
Keywords: wpa_supplicant tls Cc:

Description

A wired 802.1x authentfication with wpa_supplicant 2.0 devel fails with the following error:

X509: Validate certificate chain

X509: 0: C=DE, ST=Bayern, L=Muenchen, O=Leibniz-Rechenzentrum, CN=radius.lrz-muenchen.de

X509: Certificate chain issuer name mismatch

X509: cert issuer: C=DE, ST=Bayern, L=Muenchen, O=Leibniz-Rechenzentrum, OU=LRZ-CA, CN=LRZ-CA - G01/emailAddress=pki@lrz-muenchen.de

X509: next cert subject: C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2

TLSv1: Server certificate chain validation failed (reason=5)

TLSv1: Send Alert(2:46)

The certificate is correct and the root-certificate is set in the config file.

After compiling wpa_supplicant with OpenSSL as TLS provider the authentification works fine with the same config file.

Obviously there is a bug in the internal TLSv1.

Attachments (0)

Change History (8)

comment:1 Changed 6 years ago by nbd

  • Priority changed from normal to response-needed

The reason seems to be X509_VALIDATE_CERTIFICATE_EXPIRED - are you sure your system date/time are set correctly?

comment:2 Changed 6 years ago by josias@…

Yes, date shows correct time.
When i change the system date to an invalid date the error message is different (certificate expired).

comment:3 Changed 6 years ago by nbd

please try latest trunk to see if the issue is still there

comment:4 follow-up: Changed 6 years ago by josias@…

I tried the latest trunk (r31761).

Still the same problem:

~# wpa_supplicant -D wired -dd -i eth0.2 -c /etc/config/wpa.conf
Successfully initialized wpa_supplicant
eth0.2: Associated with 01:80:c2:00:00:03
eth0.2: CTRL-EVENT-EAP-STARTED EAP authentication started
eth0.2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 -> NAK
eth0.2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
eth0.2: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
eth0.2: CTRL-EVENT-EAP-FAILURE EAP authentication failed

Unfortunately there is no precise error message, because the "-dd" option seems to be broken.

comment:5 in reply to: ↑ 4 Changed 4 years ago by Vitamin

I have the same problem with both 10.03.1 and 12.09 versions (-dd is not working for me in 12.09 also). I'm using wrt160nl.

Can you please explain me how do I compiling wpa_supplicant with OpenSSL as TLS provider?
I don't have any experience with compiling...

comment:6 follow-up: Changed 4 years ago by Vitamin

I ended up building whole OpenWrt build with openssl as tls provider for wpa_supplicant. Connection now works.

comment:7 in reply to: ↑ 6 Changed 4 years ago by DemonDomen

Since you managed to solve the problem, would you mind sharing a tutorial or guide which you followed to build wpa_supplicant?

EDIT: http://wiki.openwrt.org/doc/howto/build, using "make menuconfig" and changing the TLS provider to OpenSSL.

Last edited 4 years ago by DemonDomen (previous) (diff)

comment:8 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.