Hello, Following up on the pull-request. The scenario I am testing is when a client issue a certificate from a sub-ca which is not trusted (ca_file only points to root CA). In such case, the client must send its issuer certificate along in order to complete the chain and get verified. This works ok, however the OCSP verification is skipped in such case because we fail get issuer certificate (even if softfail is no). The first patch fix the above and treats this error as a soft failure. The second one attempts to get the issuer-certificate differently which works for this scenario (where the issuer isn't trusted). Note that eapol_test, unlike some other supplicants, doesn't send all the certificates from the client_cert file. However, it can be done with a little patch as follows: # git diff diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index ce73848..d180343 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2653,10 +2653,9 @@ static int tls_connection_client_cert(struct tls_connection *conn, return 0; } - if (SSL_use_certificate_file(conn->ssl, client_cert, - SSL_FILETYPE_PEM) == 1) { + if (SSL_use_certificate_chain_file(conn->ssl, client_cert)) { ERR_clear_error(); - wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_file (PEM)" + wpa_printf(MSG_DEBUG, "OpenSSL: SSL_use_certificate_chain_file (PEM)" " --> OK"); return 0; Configuration example: network={ ssid="1x-test" key_mgmt=IEEE8021X eap=TLS identity="bob" ca_cert="freeradius_ca_cert" client_cert="client_cert_and_issuer" private_key="key" private_key_passwd="pwd" eapol_flags=3 } Thanks, Isaac B.