Topic: Wpa_supplicant and certificates

The content of this topic has been archived on 7 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

Otacon22

3 Nov 2009, 19:42

Hi all, today i was working on a Fonera (2200 model) with OpenWRT 8.09.1,

My idea was to connect the fonera to a wireless network as client.
This wireless network uses WPA-EAP encryption with TLS.
So to connect I need to use a public key, a private key, a username and a password.

After flashing of the firmware on the fonera i've connected to the luci interface by web, and i've configured a new interface ath0 used in client mode, then i've setted the wpa-eap and the TLS.
Then I can insert private key and public key and the password but, unfortunately, not the username.
Indeed the connection does not seems to work.

So i thought: "I can anyway do it from shell", I've tried to copy private, public key
and a wpa_supplicant.conf config file wich looks like this:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=1
network={
ssid="internet"
proto=WPA
key_mgmt=WPA-EAP
auth_alg=OPEN
pairwise=TKIP
eap=TLS
anonymous_identity="S123456"
ca_cert="/etc/asi.cer"
private_key="/etc/Certificate.p12"
private_key_passwd="secret"
phase2="auth=MSCHAPV2"
}

Wich is the same that i use on my laptop to connect to this wireless network.

Then i've tried to do:

wpa_supplicant -Dmadwifi -iath0 -c/etc/wpa_supplicant.conf

but i get a strange error like
"Error while parsing key file" or something similar, so i thought:

"Is Wpa_supplicant compiled on OpenWRT with TLS key file support?"

Maybe the answer is "no".

Post #2

Miguel

3 Nov 2009, 21:56

Yes, wpa_supplicant does support EAP-TLS and private/public key pairs, we are using it with OpenWrt 8.0.9.
Your configuration is close, but you shoudl use 'identity' in place of 'anonymous_identity'

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
ap_scan=1
network={
ssid="internet"
proto=WPA
key_mgmt=WPA-EAP
auth_alg=OPEN
pairwise=TKIP
eap=TLS
identity="S123456"
ca_cert="/etc/asi.cer"
private_key="/etc/Certificate.p12"
private_key_passwd="secret"
}

Also, use wext instead of madwifi

wpa_supplicant -Dwext -iath0 -c/etc/wpa_supplicant.conf

HTH

Post #3

admiral0

5 Nov 2009, 11:29

the problem is another. Madwifi does not want to authenticate

Automatic auth_alg selection: 0x1
Overriding auth_alg selection: 0x1
WPA: using IEEE 802.11i/D3.0
WPA: Selected cipher suites: group 8 pairwise 8 key_mgmt 1 proto 1
WPA: set AP WPA IE - hexdump(len=26): dd 18 00 50 f2 01 01 00 00 50 f2 02 01 00 00 50 f2 02 01 00 00 50 f2 01 28 00
WPA: set AP RSN IE - hexdump(len=22): 30 14 01 00 00 0f ac 02 01 00 00 0f ac 04 01 00 00 0f ac 01 28 00
WPA: using GTK TKIP
WPA: using PTK TKIP
WPA: using KEY_MGMT 802.1X
WPA: Set own WPA IE default - hexdump(len=24): dd 16 00 50 f2 01 01 00 00 50 f2 02 01 00 00 50 f2 02 01 00 00 50 f2 01
No keys have been configured - skip key clearing
wpa_driver_wext_set_drop_unencrypted
State: SCANNING -> ASSOCIATING
wpa_driver_wext_set_operstate: operstate 0->0 (DORMANT)
WEXT: Operstate: linkmode=-1, operstate=5
wpa_driver_wext_associate
ioctl[SIOCSIWMODE]: Invalid argument
ioctl[SIOCSIWGENIE]: Operation not supported
ioctl[SIOCSIWAP]: Operation not supported
Association request to the driver failed
Setting authentication timeout: 2 sec 0 usec
EAPOL: External notification - portControl=Auto
RSN: Ignored PMKID candidate without preauth flag
RSN: Ignored PMKID candidate without preauth flag
RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP])
Wireless event: cmd=0x8b04 len=12
RTM_NEWLINK: operstate=0 ifi_flags=0x11003 ([UP][LOWER_UP])
Wireless event: cmd=0x8b1a len=16

Post #4

beta4

5 Nov 2009, 21:16

I found this thread searching on the forum a solution to my problem of trying to connect my Fonera to a wireless network protected by a certificate. I tried the solutions posted (using wext instead of madwifi, and identity instead of anonymous_identity), but this didn't solve the problem.

Here is some info about the errors:
Trying to connect with madwifi

root@OpenWrt:/# wpa_supplicant -Dmadwifi -iath0 -c/etc/wpa_supplicant.conf
Associated with 00:1a:30:2e:b8:61
Authentication with 00:1a:30:2e:b8:61 timed out.
CTRL-EVENT-SCAN-RESULTS 
Trying to associate with 00:1a:30:2e:b8:61 (SSID='internet' freq=2412 MHz)
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
Associated with 00:1a:30:2e:b8:61
CTRL-EVENT-EAP-STARTED EAP authentication started
TLSv1: Failed to parse private key
TLS: Failed to load private key
TLS: Failed to set TLS connection parameters
EAP-TLS: Failed to initialize SSL.
EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
^CCTRL-EVENT-TERMINATING - signal 2 received
root@OpenWrt:/#

Trying to connect with wext:

root@OpenWrt:/# wpa_supplicant -Dwext -iath0 -c/etc/wpa_supplicant.conf
CTRL-EVENT-SCAN-RESULTS 
Trying to associate with 00:1a:30:2e:b8:61 (SSID='internet' freq=2412 MHz)
CTRL-EVENT-SCAN-RESULTS 
Associated with 00:1a:30:2e:b8:61
CTRL-EVENT-EAP-STARTED EAP authentication started
TLSv1: Failed to parse private key
TLS: Failed to load private key
TLS: Failed to set TLS connection parameters
EAP-TLS: Failed to initialize SSL.
EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
^CCTRL-EVENT-TERMINATING - signal 2 received
root@OpenWrt:/#

Wireless configuration during tests:

root@OpenWrt:/# cat /etc/config/wireless 

config 'wifi-device' 'wifi0'
    option 'type' 'atheros'
    option 'channel' 'auto'
    option 'diversity' '0'

config 'wifi-iface'
    option 'device' 'wifi0'
    option 'ssid' 'internet'
    option 'network' 'wan'
    option 'mode' 'sta'
    option 'encryption' 'none'

My wpa_supplicant.conf is almost identical to that already posted in this thread.

Any idea about what's going wrong?

Post #5

Miguel

5 Nov 2009, 22:07

Your wifi-iface doesn't appear to have a valid setup for EAP-TLS,
I'm using something like this, along with the wpa_supplicant.conf I've described above:

config 'wifi-iface'
option 'device' 'wifi0'
option 'network' 'wan'
option 'ssid' 'internet'
option 'mode' 'sta'
option 'encryption' 'wpa'
option 'identity' 'myidentity@somewhere.com'
option 'ca_cert' '/etc/config/ssl/ca.pem'
option 'priv_key' '/etc/config/ssl/user1.pfx'
option 'priv_key_pwd' 'my-priv-key-passwd'
option 'eap' 'TLS'

Post #6

beta4

12 Nov 2009, 22:53

Ok, I tried to configure the interface as you said, but it still doesn't work. Therefore I went on trying to connect from an ssh shell to be able to see the wpa_supplicant debug messages. I also compared the results with the one obtained running wpa_supplicant on a Kubuntu PC which connects successfully with the same certificate.

I omitted the first part of the logs, beginning only when they differ.
This is the log on openwrt:

EAP: EAP entering state RECEIVED                                                                                  
EAP: Received EAP-Request id=2 method=13 vendor=0 vendorMethod=0                                                  
EAP: EAP entering state GET_METHOD                                                                                
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)                                                     
TLSv1: Converting PEM format certificate into DER format                                                          
X509: Extension: extnID=2.5.29.14 critical=0                                                                      
X509: Extension: extnID=2.5.29.35 critical=0                                                                      
X509: Extension: extnID=2.5.29.19 critical=0                                                                      
X509: BasicConstraints - cA=255                                                                                   
TLSv1: Added certificate: C=IT, ST=Italy, L=xxx, O=xxx, OU=xxx,          
RSA: Expected zero INTEGER in the beginning of private key; not found                                             
TLSv1: Failed to parse private key                                                                                
TLS: Failed to load private key                                                                                   
TLS: Failed to set TLS connection parameters                                                                      
EAP-TLS: Failed to initialize SSL.                                                                                
TLSv1: Selected cipher suite: 0x0000                                                                              
TLSv1: Record Layer - New write cipher suite 0x0000                                                               
TLSv1: Record Layer - New read cipher suite 0x0000                                                                
EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)                                                    
EAP: Building EAP-Nak (requested type 13 vendor=0 method=0 not allowed)                                           
EAP: allowed methods - hexdump(len=0):                                                                            
EAP: EAP entering state SEND_RESPONSE                                                                             
EAP: EAP entering state IDLE

While this is the log on Kubuntu:

EAP: EAP entering state RECEIVED                                                                                  
EAP: Received EAP-Request id=2 method=13 vendor=0 vendorMethod=0                                                  
EAP: EAP entering state GET_METHOD                                                                                
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)                                                     
TLS: using phase1 config options                                                                                  
TLS: Trusted root certificate(s) loaded                                                                           
OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag                                                                                          
OpenSSL: pending error: error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error             
OpenSSL: pending error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error           
OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib                             
OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib                              
OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (PEM) failed error:0906D06C:PEM routines:PEM_read_bio:no start line                                                                                                   
OpenSSL: pending error: error:140CB009:SSL routines:SSL_use_PrivateKey_file:PEM lib                               
TLS: Successfully parsed PKCS12 data                                                                              
TLS: Got certificate from PKCS12: subject='/C=IT/ST=Italy/L=xxx/O=xxx/OU=xxx/CN=xxx'                                                                                                   
TLS: Got private key from PKCS12                                                                                  
TLS: additional certificate from PKCS12: subject='/C=IT/ST=Italy/L=xxx/O=xxx/OU=xxx'                                                                                                       
OpenSSL: Reading PKCS#12 file --> OK                                                                              
SSL: Private key loaded successfully                                                                              
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected                                                       
EAP: EAP entering state METHOD

As you can see the firs different line is the one that starts with TLSv1 on openwrt and with TLS on Kubuntu.
In addition the first error printed by wpa_supplicant is this:
RSA: Expected zero INTEGER in the beginning of private key; not found

It looks like wpa_supplicant fails loading the certificate. What can be wrong?

Post #7

Miguel

13 Nov 2009, 02:37

Are you using openssl as the TLS provider for wpa_supplicant ?

If not, under the wpa_supplicant package, select openssl as your TLS provider, the internal TLS support has trouble reading some certificate/key file formats,

Post #8

beta4

13 Nov 2009, 17:19

First of all thank you for the support,
how do I select openssl as TLS provider?

Post #9

Miguel

13 Nov 2009, 17:25

make menuconfig
Select Network | wpa-supplicant | Choose TLS provider ---> (x) openssl
make

Post #10

beta4

21 Nov 2009, 16:01

I compiled wpa_supplicant with the configuration you suggested me, however, it behaves in a curious way:
- If I flash the fonera with the OpenWrt firmware compiled together with the wpa_supplicant package, it works and I can connect to the wireless network.
- If I install the wpa_supplicant .ipk file on an OpenWrt or x-wrt firmware downloaded from the internet it fails with a lot of ioctl errors. (Yes, I installed the reqired dependencies openssl and zlib)
Do you know why this happens?

Anyway, thanks a lot for the help, at least now I can connect to the wireless network

Post #11

PeterF

2 Apr 2010, 11:09

I have 3 sites that I need to connect to (mobile application) which are all EAP-TLS WPA2, can I have 3 SSID's and 3 sets of certs with the router trying to auth with each? I would also like to be able to connect to open (public) hotspots etc?

A big ask?

The discussion might have continued from here.

Page 1 of 1