On 27/05/2015 01:21, Ben Humpert wrote: > Hi everybody, > > I have my RADIUS server running and Windows as well as MacOS and iOS > can successfully authenticate using EAP-PEAP, EAP-TTLS or EAP-TLS each > with server certificate validation. However, Android 4.4.4 can not and > I can't figure out why. > > The complete Cert Chain: > > Root CA > - Intermediate CA1 > - Intermediate CA2 > - Intermediate CA3 > - Signing CA > - RADIUS Server Cert > - Android Client Cert > > RADIUS server has the complete Certificate Chain in it's CA.crt file > and it's own certificate in it's server.crt file. > > When I do not select any CA certificate in Android WiFi Setup but just > a User certificate EAP-TLS connection works fine. If I use the same > configuration but now select a CA certificate I get two different > errors. Maybe the Android user interface is really asking about something other than the issuing CA cert. What are you trying to achieve by selecting a CA cert in the client UI? > When I select the Root CA certificate I get > > ... > Wed May 27 01:03:05 2015 : Debug: (106) eap_tls: <<< TLS 1.0 Alert > [length 0002], fatal certificate_unknown > Wed May 27 01:03:05 2015 : ERROR: (106) eap_tls: TLS Alert > read:fatal:certificate unknown > Wed May 27 01:03:05 2015 : ERROR: (106) eap_tls: TLS_accept: Failed in > SSLv3 read client certificate A > Wed May 27 01:03:05 2015 : ERROR: (106) eap_tls: SSL says: > error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate > unknown > ... > > When I select any other CA certificate I always get > > ... > Wed May 27 01:05:21 2015 : Debug: (140) eap_tls: <<< TLS 1.0 Alert > [length 0002], fatal unknown_ca > Wed May 27 01:05:21 2015 : ERROR: (140) eap_tls: TLS Alert read:fatal:unknown CA > Wed May 27 01:05:21 2015 : ERROR: (140) eap_tls: TLS_accept: Failed in > SSLv3 read client certificate A > Wed May 27 01:05:21 2015 : ERROR: (140) eap_tls: SSL says: > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > Wed May 27 01:05:21 2015 : Error: SSL: SSL_read failed inside of TLS > (-1), TLS session fails. > Wed May 27 01:05:21 2015 : Debug: TLS receive handshake failed during operation > ... > > All Windows, MacOS, iOS and Android devices have their own client > certificate and have all CA certificates installed. > > Because of that I really have to ask what the funk is wrong with > Android? From all the tests I did not it feels like Android is sending > the certificates in the wrong order, so instead of sending the client > cert first it sends the CA cert first and thus RADIUS / OpenSSL errors > because it expected a client cert. Sadly I can't select the client > cert as a CA certificate or vice-versa. > > Any help is much appreciated! Which OpenSSL version is the EAP_TLS code using to verify the certificates? I read somewhere on this list that an ultra-recent OpenSSL version (not sure if 1.0.2 or 1.1.0) was changed to be more tolerant of out-of-order certificates, though I am not sure if that change is also for the location of the peer certificate in the list, and if that change is also in the part used by EAP_TLS. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150527/2b597155/attachment.html>
