<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 27/05/2015 01:21, Ben Humpert wrote:<br>
</div>
<blockquote
cite="mid:CAGbjqfHmiLbTiWOFo8rULM02cDmRPfO9k5d+eMN-P+szyaDOLg@mail.gmail.com"
type="cite">
<pre wrap="">Hi everybody,
I have my RADIUS server running and Windows as well as MacOS and iOS
can successfully authenticate using EAP-PEAP, EAP-TTLS or EAP-TLS each
with server certificate validation. However, Android 4.4.4 can not and
I can't figure out why.
The complete Cert Chain:
Root CA
- Intermediate CA1
- Intermediate CA2
- Intermediate CA3
- Signing CA
- RADIUS Server Cert
- Android Client Cert
RADIUS server has the complete Certificate Chain in it's CA.crt file
and it's own certificate in it's server.crt file.
When I do not select any CA certificate in Android WiFi Setup but just
a User certificate EAP-TLS connection works fine. If I use the same
configuration but now select a CA certificate I get two different
errors.
</pre>
</blockquote>
<tt>Maybe the Android user interface is really asking about <br>
something other than the issuing CA cert.</tt><tt><br>
</tt><tt><br>
</tt><tt>What are you trying to achieve by selecting a CA cert <br>
in the client UI?</tt><br>
<blockquote
cite="mid:CAGbjqfHmiLbTiWOFo8rULM02cDmRPfO9k5d+eMN-P+szyaDOLg@mail.gmail.com"
type="cite">
<pre wrap="">
When I select the Root CA certificate I get
...
Wed May 27 01:03:05 2015 : Debug: (106) eap_tls: <<< TLS 1.0 Alert
[length 0002], fatal certificate_unknown
Wed May 27 01:03:05 2015 : ERROR: (106) eap_tls: TLS Alert
read:fatal:certificate unknown
Wed May 27 01:03:05 2015 : ERROR: (106) eap_tls: TLS_accept: Failed in
SSLv3 read client certificate A
Wed May 27 01:03:05 2015 : ERROR: (106) eap_tls: SSL says:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown
...
When I select any other CA certificate I always get
...
Wed May 27 01:05:21 2015 : Debug: (140) eap_tls: <<< TLS 1.0 Alert
[length 0002], fatal unknown_ca
Wed May 27 01:05:21 2015 : ERROR: (140) eap_tls: TLS Alert read:fatal:unknown CA
Wed May 27 01:05:21 2015 : ERROR: (140) eap_tls: TLS_accept: Failed in
SSLv3 read client certificate A
Wed May 27 01:05:21 2015 : ERROR: (140) eap_tls: SSL says:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Wed May 27 01:05:21 2015 : Error: SSL: SSL_read failed inside of TLS
(-1), TLS session fails.
Wed May 27 01:05:21 2015 : Debug: TLS receive handshake failed during operation
...
All Windows, MacOS, iOS and Android devices have their own client
certificate and have all CA certificates installed.
Because of that I really have to ask what the funk is wrong with
Android? From all the tests I did not it feels like Android is sending
the certificates in the wrong order, so instead of sending the client
cert first it sends the CA cert first and thus RADIUS / OpenSSL errors
because it expected a client cert. Sadly I can't select the client
cert as a CA certificate or vice-versa.
Any help is much appreciated!
</pre>
</blockquote>
<tt>Which OpenSSL version is the EAP_TLS code using to <br>
verify the certificates?</tt><tt><br>
</tt><tt><br>
</tt><tt>I read somewhere on this list that an ultra-recent <br>
OpenSSL version (not sure if 1.0.2 or 1.1.0) was <br>
changed to be more tolerant of out-of-order certificates, <br>
though I am not sure if that change is also for the <br>
location of the peer certificate in the list, and if <br>
that change is also in the part used by EAP_TLS.</tt><tt><br>
<br>
</tt>
<pre class="moz-signature" cols="72">Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. <a class="moz-txt-link-freetext" href="http://www.wisemo.com">http://www.wisemo.com</a>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded </pre>
</body>
</html>