Bug 11182 – EAP-TLS warning "certificate not valid currently"

Bug 11182 - (int-194004) EAP-TLS warning "certificate not valid currently"

(int-194004)
Summary:	EAP-TLS warning "certificate not valid currently"

Status:	RESOLVED WORKSFORME

Product:	Connectivity
Component:	WiFi
Version:	5.0:(10.2010.19-1)
Platform:	N900 Maemo

Importance:	Unspecified normal (vote)
Target Milestone:	5.0/(20.2010.36-2)
Assigned To:	unassigned
QA Contact:	wifi-bugs

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree

Reported:	2010-08-23 22:31 UTC by satmd
Modified:	2010-11-08 17:14 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Relevant parts of syslog (11.65 KB, text/plain) 2010-08-24 12:58 UTC, satmd	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description satmd (reporter) 2010-08-23 22:31:01 UTC

SOFTWARE VERSION:
(Settings > General > About product)

EXACT STEPS LEADING TO PROBLEM: 
(Explain in detail what you do (e.g. tap on OK) and what you see (e.g. message
Connection Failed appears))

Try to connect to a EAP-TLS secured network with certificates.


EXPECTED OUTCOME:

Connection established without error notifcations.

ACTUAL OUTCOME:

Connection established AFTER confirming a notification saying the radius
server's certificate were "not currently valid", asking me to set up the clock.

REPRODUCIBILITY:
(always, less than 1/10, 5/10, 9/10)
always

EXTRA SOFTWARE INSTALLED:
Having this problem even after a complete reflashing.

OTHER COMMENTS:

Details about the setup: radius is a freeradius 2.x, access point a netgear
wnap210. Clocks on all systems (incl. n900!) checked and confirmed to work as
exact as 1-2 seconds max apart.

The certificates are self-made with a full CA chain including root CA, machines
CA (and a not used people CA). All machine certificates (n900, radius, laptop)
are not expired (valid Aug 10 2010 through Aug 11 2011).

A laptop using networkmanager (and wpa_supplicant) just connects fine.

I've run any tests on the setup I could think of... clocks, expired
certificates, crls, configuration of freeradius.

My current "workaround" is to just use WPA-PSK, but this isn't a longterm
option.

I'm well prepared to use tools like tcpdump on this problem if needed.

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.8)
Gecko/20100722 Firefox/3.6.8

Comment 1 Andre Klapper maemo.org

2010-08-23 22:35:20 UTC

Hi satmd, thanks for reporting this!

Let's try with a syslog first...

Can you please provide a syslog (see
http://wiki.maemo.org/Documentation/devtools/maemo5/syslog and
http://wiki.maemo.org/Documentation/devtools/maemo5#Installation for more
information) and then enable the wlancond debugging with the two commands

gconftool-2 --set --type int
'/system/osso/connectivity/IAP/wlancond_debug_level' '2'
killall wlancond

and after this if you are able to reproduce this attach the /var/log/syslog
file from the device here.

Comment 2 satmd (reporter) 2010-08-23 23:09:44 UTC

Well, I can't copy the log easily from the n900 - will attach it later when I
have access to an usb cable again, but there's one line specifically alerting
me:

some lines about other certificates not being valid (anymore) and then...
...date... EAP[..]: Server certificate not valid (unable to get local issuer
certificate).

Yet, I installed both the root CA and the machines CA into certman.

Comment 3 satmd (reporter) 2010-08-23 23:23:17 UTC

There's not much difference in logic with what wpa_supplicant is doing.

In freeradius' logs I can see an Access-Challenge sent to the client (maybe
asking for renegotation for a certificate - I'm not sure I understand that part
correctly), the n900 displays the message, clicking 'done', it starts another
round of radius communication that succeeds.

Comment 4 Lucas Maneos 2010-08-24 02:31:12 UTC

(In reply to comment #2)
> some lines about other certificates not being valid (anymore) and then...
> ...date... EAP[..]: Server certificate not valid (unable to get local issuer
> certificate).
> 
> Yet, I installed both the root CA and the machines CA into certman.

Hm, that's an OpenSSL error message.  Just a hunch, does the workaround from
bug 9355 improve things?

Comment 5 satmd (reporter) 2010-08-24 12:58:40 UTC

Created an attachment (id=3049) [details]
Relevant parts of syslog

The syslog of the connection attempt,

Real ESSID/BSSID replaced with fake ones.

Comment 6 satmd (reporter) 2010-08-24 14:16:28 UTC

Supposed workarounds from bug #9355 did not help.

Comment 7 Andre Klapper maemo.org

2010-08-26 19:59:14 UTC

Daniel, can you take a look at this?
Any idea if this is a Maemo software bug or some other configuration issue?

Comment 8 Andre Klapper maemo.org

2010-08-30 14:08:37 UTC

From syslog:

EAP[4486]: certman_main.cpp(174): ERROR Invalid certificate '/C=US/O=RSA Data
Security, Inc./OU=Secure Server Certification Authority'
EAP[4486]: certman_main.cpp(174): ERROR Invalid certificate '/C=US/O=GeoTrust
Inc./OU=(c) 2007 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary
EAP[4486]: certman_main.cpp(174): ERROR Invalid certificate
'/C=WW/O=beTRUSTed/CN=beTRUSTed Root CAs/CN=beTRUSTed Root CA'                  
EAP[4486]: certman_main.cpp(174): ERROR Invalid certificate
'/C=ES/ST=BARCELONA/L=BARCELONA/O=IPS Seguridad CA/OU=Certificaciones/CN=IPS
SERVIDORES/emailAd
EAP[4486]: certman_main.cpp(174): ERROR Invalid certificate '/C=GB/ST=Greater
Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authorit
EAP[4486]: certman_main.cpp(174): ERROR Invalid certificate '/C=US/O=thawte,
Inc./OU=(c) 2007 thawte, Inc. - For authorized use only/CN=thawte Primary Root
EAP[4486]: certman_main.cpp(174): ERROR Invalid certificate '/C=US/O=VeriSign,
Inc./OU=VeriSign Trust Network/OU=(c) 2007 VeriSign, Inc. - For authorized u
wlancond[4314]: Wlancond state change, old_state:
WLAN_INITIALIZED_FOR_CONNECTION, new_state: WLAN_NO_ADDRESS
EAP[4486]: Server certificate not valid (error 20=unable to get local issuer
certificate)

I wonder if there is any relation to bug 7764...

Comment 9 satmd (reporter) 2010-08-30 17:51:55 UTC

I've tried some more configuration combinations
* hostapd as replacement for freeradius on the router
* Patched iwlagn master mode support into my laptop and tried setting up
eap-tls with hostapd there

But neither helped or got any new information.

As for #7764 ... I tried moving all expired certificates out of /etc/. Some of
the error messages went away, but not all and there were new messages about
missing certificates. Since I could not successfully eliminate the expired
certificates, I neither can confirm nor deny a relation to #7764.

My main problem did not disappear from this, so I restored the previous
configuration.

I'm really poking in the dark here. I've even tried switching openssl versions
1.0.0a/0.9.8. I've read about changes related to the renegotiation
vulnerabilities discovered earlier this year (last year?). I dunno wether those
can make the radius server fail. But there's hardly usable information in
syslog.

The server certificates have a keyUsage of SSL Server and SSL Client.  Which
keyUsage and or other attributes does the IAP expect?

I think I'll start playing with some new CA setups while waiting for feedback.

Comment 10 satmd (reporter) 2010-09-22 23:32:36 UTC

Did a complete reflash including emmc.

By accident, I set the wrong year (2009) and got the same message when trying
to import the certificate as a yellow banner notification. Changing the date to
2010 made THAT message go away, but not my original problem.

Comment 11 satmd (reporter) 2010-10-31 03:18:37 UTC

Problem disappeared with the latest firmware image

Comment 12 Andre Klapper maemo.org

2010-11-08 17:14:49 UTC

Thanks for the update & glad it works for you now!