[openssl-users] Android Wifi setup / CA certificate / always getting SSL fatal error

Jakob Bohm jb-openssl at wisemo.com
Wed May 27 12:02:19 UTC 2015

On 27/05/2015 12:47, Ben Humpert wrote:
> 2015-05-27 8:17 GMT+02:00 Jakob Bohm <jb-openssl at wisemo.com>:
>> Maybe the Android user interface is really asking about
>> something other than the issuing CA cert.
>> What are you trying to achieve by selecting a CA cert
>> in the client UI?
> The official Google documentation as well as other sources say that it
> asks for the Root CA certificate and with that selected I get a
> different error message than with any other certificate so I guess it
> is the right cert.
> I want the users to validate the RADIUS server's certificate.
>> Which OpenSSL version is the EAP_TLS code using to
>> verify the certificates?
> OpenSSL 1.0.1f 6 Jan 2014
> built on: Thu Mar 19 15:12:02 UTC 2015
> platform: debian-amd64
> options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
> -fstack-protector --param=ssp-buffer-size=4 -Wformat
> -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions
> -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int
> OPENSSLDIR: "/usr/lib/ssl"
>> I read somewhere on this list that an ultra-recent
>> OpenSSL version (not sure if 1.0.2 or 1.1.0) was
>> changed to be more tolerant of out-of-order certificates,
>> though I am not sure if that change is also for the
>> location of the peer certificate in the list, and if
>> that change is also in the part used by EAP_TLS.
Just to clarify: The log messages in your original post,
were those from Android or from the server?


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list