On Tue, May 26, 2015 at 7:21 PM, Ben Humpert <ben at an3k.de> wrote: > Hi everybody, > > I have my RADIUS server running and Windows as well as MacOS and iOS > can successfully authenticate using EAP-PEAP, EAP-TTLS or EAP-TLS each > with server certificate validation. However, Android 4.4.4 can not and > I can't figure out why. > > ... > Because of that I really have to ask what the funk is wrong with > Android? From all the tests I did not it feels like Android is sending > the certificates in the wrong order, so instead of sending the client > cert first it sends the CA cert first and thus RADIUS / OpenSSL errors > because it expected a client cert. Sadly I can't select the client > cert as a CA certificate or vice-versa. > > Any help is much appreciated! > Maybe related.... The mother of all process is Zygote. An Android Activity is effectively forked from it (some hand waiving). Zygote loads a down level version of OpenSSL. It used to be 0.9.8, but its an odd mix of 1.0.0 and 1.0.1 now. When your app attempts to load its version of OpenSSL carried around in the JNI folder, its not loaded because Zygote already loaded a down level version provided by the platform. So one of my first guesses would be a bug is present due to the way AOSP supplies OpenSSL modulo the way the way Zygote works. Jeff