[ttls] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate

Alan DeKok aland at deployingradius.com
Sat Mar 1 16:13:16 CET 2014

Ben wrote:
> There's nothing wrong with the certs, they work perfectly well with

  That doesn't necessarily mean anything.  Some vendors have completely
different implementations for the various EAP methods.

  If they were sane, they would all just use wpa_supplicant, which is
BSD licensed.  It's about as perfect as software gets.

> If you've got ideas for debugging an Amazon Paperwhite, I'd love to hear
> them !

  Change the certs.

  Make test certs.  SIMPLE ones.  Small keys.  See if that works.

  The problem may be that the device doesn't like the certs.  I've seen
that before.  The vendor tests with *their* idea of the certs, and "it
works, so ship it".  Then people use different certs, and nothing works.

  But as always, don't blame FR.  It's just passing SSL stuff between
the device and OpenSSL.  If the SSL magic doesn't work, then (a) the
client is broken, or (b) OpenSSL is broken.

  Alan DeKok.

More information about the Freeradius-Users mailing list