[openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error

Jakob Bohm jb-openssl at wisemo.com
Wed May 27 06:17:02 UTC 2015 

On 27/05/2015 01:21, Ben Humpert wrote:
> Hi everybody,
>
> I have my RADIUS server running and Windows as well as MacOS and iOS
> can successfully authenticate using EAP-PEAP, EAP-TTLS or EAP-TLS each
> with server certificate validation. However, Android 4.4.4 can not and
> I can't figure out why.
>
> The complete Cert Chain:
>
> Root CA
>    - Intermediate CA1
>      - Intermediate CA2
>        - Intermediate CA3
>          - Signing CA
>            - RADIUS Server Cert
>            - Android Client Cert
>
> RADIUS server has the complete Certificate Chain in it's CA.crt file
> and it's own certificate in it's server.crt file.
>
> When I do not select any CA certificate in Android WiFi Setup but just
> a User certificate EAP-TLS connection works fine. If I use the same
> configuration but now select a CA certificate I get two different
> errors.
Maybe the Android user interface is really asking about
something other than the issuing CA cert.

What are you trying to achieve by selecting a CA cert
in the client UI?
> When I select the Root CA certificate I get
>
> ...
> Wed May 27 01:03:05 2015 : Debug: (106) eap_tls: <<< TLS 1.0 Alert
> [length 0002], fatal certificate_unknown
> Wed May 27 01:03:05 2015 : ERROR: (106) eap_tls: TLS Alert
> read:fatal:certificate unknown
> Wed May 27 01:03:05 2015 : ERROR: (106) eap_tls: TLS_accept: Failed in
> SSLv3 read client certificate A
> Wed May 27 01:03:05 2015 : ERROR: (106) eap_tls: SSL says:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown
> ...
>
> When I select any other CA certificate I always get
>
> ...
> Wed May 27 01:05:21 2015 : Debug: (140) eap_tls: <<< TLS 1.0 Alert
> [length 0002], fatal unknown_ca
> Wed May 27 01:05:21 2015 : ERROR: (140) eap_tls: TLS Alert read:fatal:unknown CA
> Wed May 27 01:05:21 2015 : ERROR: (140) eap_tls: TLS_accept: Failed in
> SSLv3 read client certificate A
> Wed May 27 01:05:21 2015 : ERROR: (140) eap_tls: SSL says:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> Wed May 27 01:05:21 2015 : Error: SSL: SSL_read failed inside of TLS
> (-1), TLS session fails.
> Wed May 27 01:05:21 2015 : Debug: TLS receive handshake failed during operation
> ...
>
> All Windows, MacOS, iOS and Android devices have their own client
> certificate and have all CA certificates installed.
>
> Because of that I really have to ask what the funk is wrong with
> Android? From all the tests I did not it feels like Android is sending
> the certificates in the wrong order, so instead of sending the client
> cert first it sends the CA cert first and thus RADIUS / OpenSSL errors
> because it expected a client cert. Sadly I can't select the client
> cert as a CA certificate or vice-versa.
>
> Any help is much appreciated!
Which OpenSSL version is the EAP_TLS code using to
verify the certificates?

I read somewhere on this list that an ultra-recent
OpenSSL version (not sure if 1.0.2 or 1.1.0) was
changed to be more tolerant of out-of-order certificates,
though I am not sure if that change is also for the
location of the peer certificate in the list, and if
that change is also in the part used by EAP_TLS.

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150527/2b597155/attachment.html>

More information about the openssl-users mailing list