1

I'm trying to connect Raspberry Pi to a EAP-TLS Wi-Fi access point. The connection fails:

wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: tls_connection_private_key - Failed to load private key error:00000000:lib(0):func(0):reason(0)
TLS: Failed to load private key '/etc/ssl/private/demo.key'
TLS: Failed to set TLS connection parameters
EAP-TLS: Failed to initialize SSL.

When I search for “ASN1_CHECK_TLEN:wrong tag,” all I can find is the suggestions that the certificate file is somehow damaged, and that I need to check that there are no leading or trailing spaces. The file seems fine, besides when I run openssl rsa -check -noout -in /etc/ssl/private/demo.key, it prompts for the pass phrase, and when I enter one, it prints: “RSA key ok.”

I also double-checked the password stored in private_key_passwd in wpa_supplicant.conf and it looks correct.

How do I figure out what's wrong?

Arseni Mourzenko
  • 1,208
  • 6
  • 18
  • 34

1 Answers1

1

openssl rsa expects a PEM encoded RSA key by default, but the error message suggests the wpa_supplicant is assuming that the key file is PKCS#12 encoded.

After reading the description of the private_key configuration item of wpa_supplicant.conf in /usr/share/doc/wpa_supplicant/examples/wpa_supplicant.conf, it seems the behavior is as follows:

  • if your client certificate and the corresponding private key are in PEM format, you should specify the filenames of both of them, using client_cert and private_key configuration items, respectively.

  • if your client certificate and private key are in a single PKCS#12 file (suffix typically .pfx or .p12, not directly readable with openssl rsa), then you should only specify the filename with the private_key configuration item, and not use the client_cert configuration item at all. In other words, if client_cert is not specified and private_key is a plain filename, wpa_supplicant will expect a PKCS#12 format.

  • if the client_cert configuration item does not exist and the private_key configuration item contains one of several possible URI-style formats, these will be interpreted as references to PKCS#11 tokens (smart cards) or to certificates stored in Windows certificate store, if applicable.

It looks like you've failed to specify client_cert in wpa_supplicant.conf.

telcoM
  • 87,318
  • 3
  • 112
  • 232