eapol_test failed, please help
I ran the following test on my Radhat (Fodora 6) server to test eap-tls
(after I started radiusd):
./eapol_test -c ../network -a 127.0.0.1 -p1812 -s secret -r 1
It failed after some handshake with the server:
...
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=3 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=213) - Flags 0x80
SSL: TLS Message Length: 1227
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read server hello A
TLS: Certificate verification failed, error 18 (self signed certificate)
depth 0 for '/C=US/ST=California/L=Oak Park/O=Jins
Company/OU=Engineering/CN=jinlu/[EMAIL PROTECTED]'
SSL: (where=0x4008 ret=0x230)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
SSL: (where=0x1002 ret=0x)
SSL: SSL_connect:error in SSLv3 read server certificate B
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The configuration is
network={
ssid=roofnet
key_mgmt=WPA-EAP
eap=TLS
ca_cert=/etc/pki/CA/cacert.pem
identity=jinlu
client_cert=/etc/pki/tls/misc/cert-clt.pem
private_key=/etc/pki/tls/misc/cert-key.pem
private_key_passwd=..
}
where the certificates are created based on a standard procedure.
Could someone shed some light into the problem (unknown CA...)? Thanks in
advance for your help.
For your information, I include the long test output in the following (after
removing some lines).
--
[EMAIL PROTECTED] wpa_supplicant-0.5.8]# ./eapol_test -c ../network
-a127.0.0.1 -p1812 -s secret -r 1
Reading configuration file '../network'
Line: 1 - start of a new network block
ssid - hexdump_ascii(len=7):
72 6f 6f 66 6e 65 74 roofnet
key_mgmt: 0x1
eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00
00
ca_cert - hexdump_ascii(len=22):
2f 65 74 63 2f 70 6b 69 2f 43 41 2f 63 61 63 65 /etc/pki/CA/cace
72 74 2e 70 65 6d rt.pem
identity - hexdump_ascii(len=5):
6a 69 6e 6c 75 jinlu
client_cert - hexdump_ascii(len=30):
2f 65 74 63 2f 70 6b 69 2f 74 6c 73 2f 6d 69 73 /etc/pki/tls/mis
63 2f 63 65 72 74 2d 63 6c 74 2e 70 65 6d c/cert-clt.pem
private_key - hexdump_ascii(len=30):
2f 65 74 63 2f 70 6b 69 2f 74 6c 73 2f 6d 69 73 /etc/pki/tls/mis
63 2f 63 65 72 74 2d 6b 65 79 2e 70 65 6d c/cert-key.pem
private_key_passwd - hexdump_ascii(len=8):
--- line omitted ---
Priority group 0
id=0 ssid='roofnet'
Authentication server 127.0.0.1:1812
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=5):
6a 69 6e 6c 75 jinlu
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=10)
TX EAP - RADIUS - hexdump(len=10): 02 00 00 0a 01 6a 69 6e 6c 75
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=5): 6a 69 6e 6c 75
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=118
Attribute 1 (User-Name) length=7
Value: 'jinlu'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=12
Value: 02 00 00 0a 01 6a 69 6e 6c 75
Attribute 80 (Message-Authenticator) length=18
Value: 4d 62 5a c4 38 ed f1 b8 7a 98 48 67 4b 37 64 57
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 64 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=64
Attribute 79 (EAP-Message) length=8
Value: 01 01 00 06 0d 20
Attribute 80 (Message-Authenticator) length=18
Value:
Problem with Self-Signed certificate and wpa_supplicant
Hi, I have a problem with self assigned certificate when using wpa_supplicant as (exactly) described in the attached old message in this forum. I wonder if anybody can shed some light into it. Here is what tried to solve it, but without any luck: * find OPENSSLDIR (openssl version -d) * put the self signed certificate ( cacert.pem) in $OPENSSLDIR/certs * create the hash-based symlink using some script * then I do openssl verify cacert.pem, and got ok despite the above, I till get TLS: Certificate verification failed, error 18 (self signed certificate) depth 0 for '/C=US/ST= .. .' SSL: (where=0x4008 ret=0x230) SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA ** old message * Problem with Self-Signed certificate and wpa_supplicant by Philippe Vachon Jun 23, 2005; 08:52am :: Rate this Message:(use ratings to moderate[?]) Reply | Reply to Author | View in Thread Hello All. I've been trying to setup WPA security on my network. As such, I have been generating my own root and server certificate, and signing my client certificates with said root certificate. However, for some reason, whenever I try to use the certificates with wpa_supplicant, I get the following errors: TLS: Certificate verification failed, error 18 (self signed certificate) depth 0 for '/C=CA/O=Radialink/CN=RADIUS' SSL: (where=0x4008 ret=0x230) SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA SSL: (where=0x1002 ret=0x) SSL: SSL_connect:error in SSLv3 read server certificate B SSL: SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed whenever I try to authenticate. I am reasonably certain there is no problem with my FreeRADIUS configuration, however, I suspect there might be a problem with my root certificate based on this error. Is anybody able to shed any light on this for me? Thanks, Phil. -- View this message in context: http://www.nabble.com/Problem-with-Self-Signed-certificate-and-wpa_supplicant-tf4270305.html#a12154183 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
