Problem EAP-TLS with Android

Tue Mar 14 15:31:09 UTC 2023

Hello

I setup a Freeradius server to do EAP-TLS with Android devices (freeradius 3.2.x)

I use the default config for EAP-TLS with the default Makefile for certs and keys
I use OpenSSL version 3.0.2 (and I have tried with openssl 1.1.1t)
I have tested with two Android version, 10 and 13.

I get an error using client key and cert on Android (and only on it)
With the same key and cert it works on an embedded Linux and on Windows.

With OpenSSL version 3.0.2, I must use the "-legacy" option on openssl pkcs12 command line to be able to import natively a p12 file. (not in openssl 1.1.1t)
Indeed in openssl 3.0.x version they removed old algorithm as stated here :
https://stackoverflow.com/questions/71872900/installing-pcks12-certificate-in-android-wrong-password-bug

Then, even by using "-legacy" on OpenSSL 3.0.2 or using OpenSSL 1.1.1 for creating p12 container I can't use the imported keys in my Android phone.
When I try to connect to my freeradius network I get on adb logcat (phone side) :

wpa_supplicant: TLS - SSL error: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE

So, as using default keys and cert with the two openssl LTS version does not work with my freeradius 3.2.0 setup, what is your configuration for your Android devices ?

Thanks

Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires.
Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur par e-mail.
Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. Les communications sur Internet n'etant pas securisees, l'expediteur informe qu'il ne peut accepter aucune responsabilite quant au contenu de ce message.
This mail message and attachments (the "message") are solely intended for the addresses. It is confidential in nature.
If you receive this message in error, please delete it and immediately notify the sender by e-mail.
Any use other than its intended purpose, dissemination or disclosure, either whole or partial, is prohibited except if formal approval is granted. As communication on the Internet is not secure, the sender does not accept responsibility for the content of this message.