[openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error

[Ben Humpert]

2015-05-27 8:17 GMT+02:00 Jakob Bohm <jb-openssl at wisemo.com>:
> Maybe the Android user interface is really asking about
> something other than the issuing CA cert.
>
> What are you trying to achieve by selecting a CA cert
> in the client UI?

The official Google documentation as well as other sources say that it
asks for the Root CA certificate and with that selected I get a
different error message than with any other certificate so I guess it
is the right cert.

I want the users to validate the RADIUS server's certificate.

> Which OpenSSL version is the EAP_TLS code using to
> verify the certificates?

OpenSSL 1.0.1f 6 Jan 2014
built on: Thu Mar 19 15:12:02 UTC 2015
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2
-fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions
-Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"

> I read somewhere on this list that an ultra-recent
> OpenSSL version (not sure if 1.0.2 or 1.1.0) was
> changed to be more tolerant of out-of-order certificates,
> though I am not sure if that change is also for the
> location of the peer certificate in the list, and if
> that change is also in the part used by EAP_TLS.