2015-05-27 8:17 GMT+02:00 Jakob Bohm <jb-openssl at wisemo.com>: > Maybe the Android user interface is really asking about > something other than the issuing CA cert. > > What are you trying to achieve by selecting a CA cert > in the client UI? The official Google documentation as well as other sources say that it asks for the Root CA certificate and with that selected I get a different error message than with any other certificate so I guess it is the right cert. I want the users to validate the RADIUS server's certificate. > Which OpenSSL version is the EAP_TLS code using to > verify the certificates? OpenSSL 1.0.1f 6 Jan 2014 built on: Thu Mar 19 15:12:02 UTC 2015 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl" > I read somewhere on this list that an ultra-recent > OpenSSL version (not sure if 1.0.2 or 1.1.0) was > changed to be more tolerant of out-of-order certificates, > though I am not sure if that change is also for the > location of the peer certificate in the list, and if > that change is also in the part used by EAP_TLS.
