[openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error

Tue May 26 23:21:24 UTC 2015

Hi everybody,

I have my RADIUS server running and Windows as well as MacOS and iOS
can successfully authenticate using EAP-PEAP, EAP-TTLS or EAP-TLS each
with server certificate validation. However, Android 4.4.4 can not and
I can't figure out why.

The complete Cert Chain:

Root CA
  - Intermediate CA1
    - Intermediate CA2
      - Intermediate CA3
        - Signing CA
          - RADIUS Server Cert
          - Android Client Cert

RADIUS server has the complete Certificate Chain in it's CA.crt file
and it's own certificate in it's server.crt file.

When I do not select any CA certificate in Android WiFi Setup but just
a User certificate EAP-TLS connection works fine. If I use the same
configuration but now select a CA certificate I get two different
errors.

When I select the Root CA certificate I get

Wed May 27 01:03:05 2015 : Debug: (106) eap: Peer sent method TLS (13)
Wed May 27 01:03:05 2015 : Debug: (106) eap: EAP TLS (13)
Wed May 27 01:03:05 2015 : Debug: (106) eap: Calling eap_tls to process EAP data
Wed May 27 01:03:05 2015 : Debug: (106) eap_tls: Authenticate
Wed May 27 01:03:05 2015 : Debug: (106) eap_tls: processing EAP-TLS
Wed May 27 01:03:05 2015 : Debug: (106) eap_tls: eaptls_verify returned 7
Wed May 27 01:03:05 2015 : Debug: (106) eap_tls: Done initial handshake
Wed May 27 01:03:05 2015 : Debug: (106) eap_tls: <<< TLS 1.0 Alert
[length 0002], fatal certificate_unknown
Wed May 27 01:03:05 2015 : ERROR: (106) eap_tls: TLS Alert
read:fatal:certificate unknown
Wed May 27 01:03:05 2015 : ERROR: (106) eap_tls: TLS_accept: Failed in
SSLv3 read client certificate A
Wed May 27 01:03:05 2015 : ERROR: (106) eap_tls: SSL says:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown
Wed May 27 01:03:05 2015 : Error: SSL: SSL_read failed inside of TLS
(-1), TLS session fails.
Wed May 27 01:03:05 2015 : Debug: TLS receive handshake failed during operation
Wed May 27 01:03:05 2015 : Debug: (106) eap_tls: eaptls_process returned 4
Wed May 27 01:03:05 2015 : ERROR: (106) eap: Failed continuing EAP TLS
(13) session. EAP sub-module failed

When I select any other CA certificate I always get

Wed May 27 01:05:21 2015 : Debug: (140) eap: Peer sent method TLS (13)
Wed May 27 01:05:21 2015 : Debug: (140) eap: EAP TLS (13)
Wed May 27 01:05:21 2015 : Debug: (140) eap: Calling eap_tls to process EAP data
Wed May 27 01:05:21 2015 : Debug: (140) eap_tls: Authenticate
Wed May 27 01:05:21 2015 : Debug: (140) eap_tls: processing EAP-TLS
Wed May 27 01:05:21 2015 : Debug: (140) eap_tls: eaptls_verify returned 7
Wed May 27 01:05:21 2015 : Debug: (140) eap_tls: Done initial handshake
Wed May 27 01:05:21 2015 : Debug: (140) eap_tls: <<< TLS 1.0 Alert
[length 0002], fatal unknown_ca
Wed May 27 01:05:21 2015 : ERROR: (140) eap_tls: TLS Alert read:fatal:unknown CA
Wed May 27 01:05:21 2015 : ERROR: (140) eap_tls: TLS_accept: Failed in
SSLv3 read client certificate A
Wed May 27 01:05:21 2015 : ERROR: (140) eap_tls: SSL says:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Wed May 27 01:05:21 2015 : Error: SSL: SSL_read failed inside of TLS
(-1), TLS session fails.
Wed May 27 01:05:21 2015 : Debug: TLS receive handshake failed during operation
Wed May 27 01:05:21 2015 : Debug: (140) eap_tls: eaptls_process returned 4
Wed May 27 01:05:21 2015 : ERROR: (140) eap: Failed continuing EAP TLS
(13) session. EAP sub-module failed

All Windows, MacOS, iOS and Android devices have their own client
certificate and have all CA certificates installed.

Because of that I really have to ask what the funk is wrong with
Android? From all the tests I did not it feels like Android is sending
the certificates in the wrong order, so instead of sending the client
cert first it sends the CA cert first and thus RADIUS / OpenSSL errors
because it expected a client cert. Sadly I can't select the client
cert as a CA certificate or vice-versa.

Any help is much appreciated!

Best regards,

Ben