[openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error
Jakob Bohm
jb-openssl at wisemo.com
Wed May 27 12:02:19 UTC 2015
On 27/05/2015 12:47, Ben Humpert wrote:
> 2015-05-27 8:17 GMT+02:00 Jakob Bohm <jb-openssl at wisemo.com>:
>> Maybe the Android user interface is really asking about
>> something other than the issuing CA cert.
>>
>> What are you trying to achieve by selecting a CA cert
>> in the client UI?
> The official Google documentation as well as other sources say that it
> asks for the Root CA certificate and with that selected I get a
> different error message than with any other certificate so I guess it
> is the right cert.
>
> I want the users to validate the RADIUS server's certificate.
>
>> Which OpenSSL version is the EAP_TLS code using to
>> verify the certificates?
> OpenSSL 1.0.1f 6 Jan 2014
> built on: Thu Mar 19 15:12:02 UTC 2015
> platform: debian-amd64
> options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
> compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
> -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2
> -fstack-protector --param=ssp-buffer-size=4 -Wformat
> -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions
> -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int
> -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
> -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
> OPENSSLDIR: "/usr/lib/ssl"
>
>> I read somewhere on this list that an ultra-recent
>> OpenSSL version (not sure if 1.0.2 or 1.1.0) was
>> changed to be more tolerant of out-of-order certificates,
>> though I am not sure if that change is also for the
>> location of the peer certificate in the list, and if
>> that change is also in the part used by EAP_TLS.
Just to clarify: The log messages in your original post,
were those from Android or from the server?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list