OpenSSL issue with xsupplicant

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL issue with xsupplicant

Shane Stixrud
I am attempting to use xsupplicant to connect my fedora 4 laptop to a Open
/ static wep / eap-tls enabled cisco wireless network with Cisco ACS
radius server and a Microsoft CA, everything works fine if I just use wep
and avoid EAP-TLS.

My xsupplicant configuration files seems to be correct, however my
authentication requests fail during an openssl handshake to my radius
server with the following error:

[AUTH TYPE]      --- SSL_verify : depth 1
[AUTH TYPE]      --- SSL_verify error : num=19:self signed certificate in
certificate chain:depth=1:/DC=org/DC=vmmc/DC=vmad/CN=vmad1
[AUTH TYPE]      --- SSL : SSLv3 read server certificate B
[AUTH TYPE]      --- ALERT : unknown CA
[AUTH TYPE]      --- SSL : SSLv3 read server certificate B
OpenSSL Error -- error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Failure!

This seems to be a common error for many programs that use openssl. I
attempted to solve this by adding our Microsoft cert to /etc/pki/tls/certs
as a hash.  This change did allow openssl verify to confirm the
certificate without error but did have any affect on
xsupplicant.

I would think the above change would behave similarly to adding our
Microsoft CA to our Windows XP clients "Trusted root certificate
authorities" list on Windows, but it does not appear so.

Any suggestions would be most welcome.

Cheers,
Shane
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL issue with xsupplicant

Michael Wang-7
On 8/6/05, Shane Stixrud <[hidden email]> wrote:

> I am attempting to use xsupplicant to connect my fedora 4 laptop to a Open
> / static wep / eap-tls enabled cisco wireless network with Cisco ACS
> radius server and a Microsoft CA, everything works fine if I just use wep
> and avoid EAP-TLS.
>
> My xsupplicant configuration files seems to be correct, however my
> authentication requests fail during an openssl handshake to my radius
> server with the following error:
>
> [AUTH TYPE]      --- SSL_verify : depth 1
> [AUTH TYPE]      --- SSL_verify error : num=19:self signed certificate in
> certificate chain:depth=1:/DC=org/DC=vmmc/DC=vmad/CN=vmad1
> [AUTH TYPE]      --- SSL : SSLv3 read server certificate B
> [AUTH TYPE]      --- ALERT : unknown CA
> [AUTH TYPE]      --- SSL : SSLv3 read server certificate B
> OpenSSL Error -- error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Failure!
>

Look at your eap.conf, section tls, CA_file parameter.

Is CA_file pointing to the certificate of the CA that signed your user
certificate?

Michael
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL issue with xsupplicant

Shane Stixrud
On Mon, 8 Aug 2005, Michael Wang wrote:

> On 8/6/05, Shane Stixrud <[hidden email]> wrote:
>> I am attempting to use xsupplicant to connect my fedora 4 laptop to a Open
>> / static wep / eap-tls enabled cisco wireless network with Cisco ACS
>> radius server and a Microsoft CA, everything works fine if I just use wep
>> and avoid EAP-TLS.
>>
>> My xsupplicant configuration files seems to be correct, however my
>> authentication requests fail during an openssl handshake to my radius
>> server with the following error:
>>
>> [AUTH TYPE]      --- SSL_verify : depth 1
>> [AUTH TYPE]      --- SSL_verify error : num=19:self signed certificate in
>> certificate chain:depth=1:/DC=org/DC=vmmc/DC=vmad/CN=vmad1
>> [AUTH TYPE]      --- SSL : SSLv3 read server certificate B
>> [AUTH TYPE]      --- ALERT : unknown CA
>> [AUTH TYPE]      --- SSL : SSLv3 read server certificate B
>> OpenSSL Error -- error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>> Failure!
>>
>
> Look at your eap.conf, section tls, CA_file parameter.
>
> Is CA_file pointing to the certificate of the CA that signed your user
> certificate?

It seems so:

default
{
  allow_types = eap_tls
  identity = <BEGIN_ID>spgsrs-laptop<END_ID>
  eap_tls {
      user_cert = /etc/xsupplicant/cert.cer
      user_key  = /etc/xsupplicant/key.pem
      user_key_pass = <BEGIN_PASS>XXXXXXXXXX<END_PASS>
      root_cert = /etc/xsupplicant/root/vm.pem
      crl_dir = /etc/xsupplicant/crl
      chunk_size = 1398
      random_file = /dev/urandom
   }
}

[root@spgsrs-laptop ~]# openssl x509 -noout -issuer -in
/etc/xsupplicant/root/vm.pem
issuer= /DC=org/DC=vmmc/DC=vmad/CN=vmad1

[root@spgsrs-laptop ~]# openssl x509 -noout -issuer -in
/etc/xsupplicant/key.pem
issuer= /DC=org/DC=vmmc/DC=vmad/CN=vmad1

Thanks,
Shane
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]