Problem with EAP-TLS and certificate

[Matthew Newton]

On Sun, Jun 17, 2012 at 11:07:31PM -0400, Stephane Brodeur wrote:
> My problem is the following error message when running eapol_test
> 
> TLS: Trusted root certificate(s) loaded
> OpenSSL: SSL_use_certificate_file (DER) --> OK
> OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> OpenSSL: pending error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
> OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
> OpenSSL: pending error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
> OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
> OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib
> OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK
> SSL: Private key loaded successfully
> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected

I think this is just OpenSSL trying to read the private key file
in DER format, failing, and then trying again in PEM format and
succeeding. I get very similar with the example certificates
generated with v2.1.12 as they are all in PEM format - it tries
DER first and fails.

> OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
> OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib
> OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
> OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
> OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib
> OpenSSL: pending error: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error
> OpenSSL: pending error: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
> OpenSSL: pending error: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
> OpenSSL: pending error: error:140CB009:SSL routines:SSL_use_PrivateKey_file:PEM lib
> OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
> OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
> OpenSSL: Failed to load private key

At a complete guess, that looks like it's trying to load the
private key in every format it can, but failing to understand any
of them.

There's generally not a problem with FreeRADIUS and wpa_supplicant
(or eapol_test), so check your certificates.

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>