Problem with Self-Signed certificate and wpa_supplicant

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Problem with Self-Signed certificate and wpa_supplicant

Philippe Vachon
Hello All.

I've been trying to setup WPA security on my network. As such, I have  
been generating my own root and server certificate, and signing my  
client certificates with said root certificate. However, for some  
reason, whenever I try to use the certificates with wpa_supplicant, I  
get the following errors:

TLS: Certificate verification failed, error 18 (self signed  
certificate) depth 0 for '/C=CA/O=Radialink/CN=RADIUS'
SSL: (where=0x4008 ret=0x230)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
SSL: SSL_connect: error:14090086:SSL  
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

whenever I try to authenticate. I am reasonably certain there is no  
problem with my FreeRADIUS configuration, however, I suspect there  
might be a problem with my root certificate based on this error. Is  
anybody able to shed any light on this for me?

Thanks,
Phil.



Full output from wpa_supplicant:
---------------

Initializing interface 'ath0' conf '/etc/wpa_supplicant.conf' driver  
'madwifi'
Configuration file '/etc/wpa_supplicant.conf' -> '/etc/
wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant.conf'
Priority group 0
    id=0 ssid='ap3-senaoabg'
Initializing interface (2) 'ath0'
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
Own MAC address: 00:0b:6b:33:11:e6
wpa_driver_madwifi_set_wpa: enabled=1
wpa_driver_madwifi_del_key: keyidx=0
wpa_driver_madwifi_del_key: keyidx=1
wpa_driver_madwifi_del_key: keyidx=2
wpa_driver_madwifi_del_key: keyidx=3
wpa_driver_madwifi_set_countermeasures: enabled=0
wpa_driver_madwifi_set_drop_unencrypted: enabled=1
Setting scan request: 0 sec 100000 usec
Wireless event: cmd=0x8b06 len=8
RTM_NEWLINK, IFLA_IFNAME: Interface 'ath0' added
RTM_NEWLINK, IFLA_IFNAME: Interface 'ath0' added
Starting AP scan (specific SSID)
Scan SSID - hexdump_ascii(len=12):
      61 70 33 2d 73 65 6e 61 6f 61 62 67               ap3-senaoabg
Wireless event: cmd=0x8b1a len=25
Wireless event: cmd=0x8b19 len=12
Received 668 bytes of scan results (3 BSSes)
Scan results: 3
Selecting BSS from priority group 0
0: 00:02:6f:20:b6:6b ssid='Wireless Network' wpa_ie_len=28 rsn_ie_len=0
    skip - SSID mismatch
1: 00:02:6f:20:b6:6c ssid='ap3-senaoabg' wpa_ie_len=24 rsn_ie_len=0
    selected
Trying to associate with 00:02:6f:20:b6:6c (SSID='ap3-senaoabg'  
freq=2412 MHz)
Cancelling scan request
Automatic auth_alg selection: 0x1
WPA: using IEEE 802.11i/D3.0
WPA: Selected cipher suites: group 16 pairwise 16 key_mgmt 1
WPA: using GTK CCMP
WPA: using PTK CCMP
WPA: using KEY_MGMT 802.1X
WPA: Own WPA IE - hexdump(len=24): dd 16 00 50 f2 01 01 00 00 50 f2  
04 01 00 00 50 f2 04 01 00 00 50 f2 01
No keys have been configured - skip key clearing
wpa_driver_madwifi_set_drop_unencrypted: enabled=1
wpa_driver_madwifi_associate
Setting authentication timeout: 5 sec 0 usec
EAPOL: External notification - portControl=Auto
Wireless event: cmd=0x8b1a len=25
Wireless event: cmd=0x8b15 len=20
Wireless event: new AP: 00:02:6f:20:b6:6c
Association event - clear replay counter
Associated to a new BSS: BSSID=00:02:6f:20:b6:6c
No keys have been configured - skip key clearing
Associated with 00:02:6f:20:b6:6c
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Setting authentication timeout: 10 sec 0 usec
Wireless event: cmd=0x8c02 len=35
Custom wireless event: 'ASSOC|00:02:6f:20:b6:6c'
RTM_NEWLINK, IFLA_IFNAME: Interface 'ath0' added
RX EAPOL from 00:02:6f:20:b6:6c
Setting authentication timeout: 70 sec 0 usec
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=1 id=0
EAP: EAP entering state IDENTITY
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=8):
      70 68 69 6c 69 70 70 65                           philippe
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
WPA: EAPOL frame too short, len 9, expecting at least 99
RX EAPOL from 00:02:6f:20:b6:6c
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=1 id=0
EAP: EAP entering state RETRANSMIT
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
WPA: EAPOL frame too short, len 9, expecting at least 99
RX EAPOL from 00:02:6f:20:b6:6c
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=13 id=1
EAP: EAP entering state GET_METHOD
EAP: initialize selected EAP method (13, TLS)
TLS: Trusted root certificate(s) loaded
EAP: EAP entering state METHOD
EAP-TLS: Received packet(len=6) - Flags 0x20
EAP-TLS: Start
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before/connect initialization
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write client hello A
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server hello A
SSL: SSL_connect - want more data
SSL: 102 bytes pending from ssl_out
SSL: 102 bytes left to be sent out (of total 102 bytes)
EAP: method process -> ignore=FALSE methodState=CONT decision=COND_SUCC
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
WPA: EAPOL frame too short, len 10, expecting at least 99
RX EAPOL from 00:02:6f:20:b6:6c
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=13 id=2
EAP: EAP entering state METHOD
EAP-TLS: Received packet(len=784) - Flags 0x80
EAP-TLS: TLS Message Length: 774
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 read server hello A
TLS: Certificate verification failed, error 18 (self signed  
certificate) depth 0 for '/C=CA/O=Radialink/CN=RADIUS'
SSL: (where=0x4008 ret=0x230)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
SSL: SSL_connect: error:14090086:SSL  
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
EAP-TLS: TLS processing failed
SSL: Building ACK
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
IEEE 802.1X RX: version=1 type=0 length=784
WPA: EAPOL frame (type 0) discarded, not a Key frame
RX EAPOL from 00:02:6f:20:b6:6c
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=13 id=3
EAP: EAP entering state METHOD
EAP-TLS: Received packet(len=10) - Flags 0x80
EAP-TLS: TLS Message Length: 0
TLS: Certificate verification failed, error 18 (self signed  
certificate) depth 0 for '/C=CA/O=Radialink/CN=RADIUS'
SSL: (where=0x4008 ret=0x230)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
SSL: SSL_connect: error:14090086:SSL  
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
EAP-TLS: TLS processing failed
SSL: Building ACK
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
WPA: EAPOL frame too short, len 14, expecting at least 99
RX EAPOL from 00:02:6f:20:b6:6c
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=13 id=4
EAP: EAP entering state METHOD
EAP-TLS: Received packet(len=10) - Flags 0x80
EAP-TLS: TLS Message Length: 0
TLS: Certificate verification failed, error 18 (self signed  
certificate) depth 0 for '/C=CA/O=Radialink/CN=RADIUS'
SSL: (where=0x4008 ret=0x230)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
SSL: SSL_connect: error:14090086:SSL  
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
EAP-TLS: TLS processing failed
SSL: Building ACK
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
WPA: EAPOL frame too short, len 14, expecting at least 99
RX EAPOL from 00:02:6f:20:b6:6c
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request method=13 id=5
EAP: EAP entering state METHOD
EAP-TLS: Received packet(len=10) - Flags 0x80
EAP-TLS: TLS Message Length: 0
TLS: Certificate verification failed, error 18 (self signed  
certificate) depth 0 for '/C=CA/O=Radialink/CN=RADIUS'
SSL: (where=0x4008 ret=0x230)
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server certificate B
SSL: SSL_connect: error:14090086:SSL  
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
EAP-TLS: TLS processing failed
SSL: Building ACK
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
EAPOL: SUPP_BE entering state RECEIVE
WPA: EAPOL frame too short, len 14, expecting at least 99
Signal 2 received - terminating
wpa_driver_madwifi_deauthenticate
No keys have been configured - skip key clearing
EAPOL: External notification - portEnabled=0
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
wpa_driver_madwifi_set_wpa: enabled=0
wpa_driver_madwifi_set_drop_unencrypted: enabled=0
wpa_driver_madwifi_set_countermeasures: enabled=0
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit

wpa_supplicant.conf:
----------
network={
     ssid="ap3-senaoabg"
     scan_ssid=1
     key_mgmt=WPA-EAP
     eap=TLS
     identity="philippe"
     ca_cert="/etc/cert.pem"
     client_cert="/etc/cert.pem"
     private_key="/etc/cert.pem"
     private_key_passwd="asdf1234"
}
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]