wpa_supplicant and multiple certificates

lindope · 12-21-2007, 09:11 PM

I am attempting to connect to my university's network which uses:
128-bit rotating dynamic WEP keys and EAP-TTLS/PAP and server-only certificates.
I am using wpa_supplicant.

The university provides two certificates which I understand are chosen randomly.

I have seen talk here about the ca_cert2="/blah" setting and am I correct that is only for setting the certificate for the phase2 (i.e. PAP) level?

How do I designate two certificates otherwise?

Konqueror and KCertPart indicate the two certificates provided by the U are DEM, PEM, or Netscape encoded X.509 type. They have .cer extensions. I tried concatenating them into one using the openssl 'cat' command and designating both.pem as the output but here is what I get from wpa_supplicant with ca_cert="/etc/cert/both.pem" and -d set:

Code:

CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)
OpenSSL: tls_load_ca_der - Failed load CA in DER format error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0)
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
CTRL-EVENT-CONNECTED - Connection to 00:14:f2:da:1f:d0 completed (reauth) [id=0 id_str=]

While it does authenticate, I am unsure why the fail to load error, is this not a problem? Or,is it allowing me to authenticate because I've also imported the certificates to my system using Kleopatra? (note: cert already in hash table) Or, is it really reading them and I just don't see it because I only set -d and not -dd ?

I would like to know if there is a way to call either/both certificates, perhaps
ca_cert="/etc/cert/cert1.cer, /etc/cert/cert2.cer"

also, what is the ca_path="/etc/cert/" command used for?

Sorry for a lot of questions, but I have searched for days on some documentation on multiple certificates and have come up empty handed...lindope

Brian1 · 12-30-2007, 11:22 AM

Found this from a quick google search. http://64.233.167.104/linux?q=cache:...lnk&cd=1&gl=us
Also this may help as well. http://hostap.epitest.fi/wpa_supplic...configure.html

Let us know if any helps.
Brian

lindope · 12-30-2007, 02:36 PM

I appreciate the effort Brian, but there is nothing there regarding multiple certificates. I have considered looking into xsupplicant to see if it handles certificates differently but was hoping wpa_supplicant would do handle it.

I have googled extensively to no avail regarding multiple certificates. I probably should leave well enough alone. I've got the connection working, and once I shut off debug I don't see the read errors. I just thought there might be a better way to implement the dual certificates, but I guess not to many are using that. thanks again.

The larger concerns I have now is automating two different configurations, one for home, one for school. I still haven't figured out the xinetd.d in this SuSE. If someone has a script for choosing ifconfig settings it would help as I'm still too newb to be proficient at scripts.

Also/or, (probably fodder for a new thread) how to get wpa_gui to run as non-root.

lindope

Brian1 · 12-30-2007, 03:13 PM

Never seen anything quite like that so I would contact the wpa_supplicant team and ask them for a possible configuration setup. If you figure it out post back.

Brian