On Mon, 8 Aug 2005, Michael Wang wrote:
On 8/6/05, Shane Stixrud <[EMAIL PROTECTED]> wrote:
I am attempting to use xsupplicant to connect my fedora 4 laptop to a Open
/ static wep / eap-tls enabled cisco wireless network with Cisco ACS
radius server and a Microsoft CA, everything works fine if I just use wep
and avoid EAP-TLS.
My xsupplicant configuration files seems to be correct, however my
authentication requests fail during an openssl handshake to my radius
server with the following error:
[AUTH TYPE] --- SSL_verify : depth 1
[AUTH TYPE] --- SSL_verify error : num=19:self signed certificate in
certificate chain:depth=1:/DC=org/DC=vmmc/DC=vmad/CN=vmad1
[AUTH TYPE] --- SSL : SSLv3 read server certificate B
[AUTH TYPE] --- ALERT : unknown CA
[AUTH TYPE] --- SSL : SSLv3 read server certificate B
OpenSSL Error -- error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Failure!
Look at your eap.conf, section tls, CA_file parameter.
Is CA_file pointing to the certificate of the CA that signed your user
certificate?
It seems so:
default
{
allow_types = eap_tls
identity = <BEGIN_ID>spgsrs-laptop<END_ID>
eap_tls {
user_cert = /etc/xsupplicant/cert.cer
user_key = /etc/xsupplicant/key.pem
user_key_pass = <BEGIN_PASS>XXXXXXXXXX<END_PASS>
root_cert = /etc/xsupplicant/root/vm.pem
crl_dir = /etc/xsupplicant/crl
chunk_size = 1398
random_file = /dev/urandom
}
}
[EMAIL PROTECTED] ~]# openssl x509 -noout -issuer -in
/etc/xsupplicant/root/vm.pem
issuer= /DC=org/DC=vmmc/DC=vmad/CN=vmad1
[EMAIL PROTECTED] ~]# openssl x509 -noout -issuer -in
/etc/xsupplicant/key.pem
issuer= /DC=org/DC=vmmc/DC=vmad/CN=vmad1
Thanks,
Shane
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]