# [SOLVED] Wpa_supplicant - OpenSSL problem

## tpheiska

While trying to connect using wpa_supplicant, shared dynamic wep-keys and certificates I get the following error:

```
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:02001002:system library:fopen:No such file or directory

OpenSSL: pending error: error:2006D080:BIO routines:BIO_new_file:no such file

OpenSSL: pending error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

OpenSSL: tls_load_ca_der - Failed load CA in DER format error:02001002:system library:fopen:No such file or directory

OpenSSL: pending error: error:20074002:BIO routines:FILE_CTRL:system lib

OpenSSL: pending error: error:0B06F002:x509 certificate routines:X509_load_cert_file:system lib

TLS: Failed to set TLS connection parameters

EAP-TLS: Failed to initialize SSL.
```

My wpa_supplicant.conf:

```
update_config=1

ctrl_interface=/var/run/wpa_supplicant

ctrl_interface_group=0

eapol_version=1

ap_scan=1

fast_reauth=1

#opensc_engine_path=/usr/lib/opensc/engine_opensc.so

#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so

#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so

network={

        ssid="hotZone"

        key_mgmt=IEEE8021X

#        pairwise=TKIP

        auth_alg=OPEN

#        group=WEP104

        proto=WPA

        eap=TLS

        identity="Paavo Heiskanen"

        password="*****"

        ca_cert="/etc/wpa-supplicant/hotzoneCA.der"

        private_key="/etc/wpa-supplicant/paavo_heiskanen.p12"

        private_key_passwd="*****"

        eapol_flags=3

#       priority=99

}

```

Any thoughts on how to proceed, the error messages are not very elaborate? Do I need to have the opensc and pkcs11 packages installed?

The whole connection debug info is as follows:

```
localhost paavo # wpa_supplicant -Dwext -iwlan0 -c/etc/conf.d/wpa_supplicant.conf -d

Initializing interface 'wlan0' conf '/etc/conf.d/wpa_supplicant.conf' driver 'wext' ctrl_interface 'N/A' bridge 'N/A'

Configuration file '/etc/conf.d/wpa_supplicant.conf' -> '/etc/conf.d/wpa_supplicant.conf'

Reading configuration file '/etc/conf.d/wpa_supplicant.conf'

update_config=1

ctrl_interface='/var/run/wpa_supplicant'

ctrl_interface_group=0

eapol_version=1

ap_scan=1

fast_reauth=1

Priority group 0

   id=0 ssid='hotZone'

Initializing interface (2) 'wlan0'

EAPOL: SUPP_PAE entering state DISCONNECTED

EAPOL: KEY_RX entering state NO_KEY_RECEIVE

EAPOL: SUPP_BE entering state INITIALIZE

EAP: EAP entering state DISABLED

EAPOL: External notification - portEnabled=0

EAPOL: External notification - portValid=0

SIOCGIWRANGE: WE(compiled)=19 WE(source)=18 enc_capa=0xd

  capabilities: key_mgmt 0x5 enc 0xf

WEXT: Operstate: linkmode=1, operstate=5

Own MAC address: 00:07:40:c5:44:e7

wpa_driver_wext_set_wpa

wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0

wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0

wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0

wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0

wpa_driver_wext_set_countermeasures

wpa_driver_wext_set_drop_unencrypted

Setting scan request: 0 sec 100000 usec

Added interface wlan0

Wireless event: cmd=0x8b06 len=8

RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added

RTM_NEWLINK, IFLA_IFNAME: Interface 'wlan0' added

State: DISCONNECTED -> SCANNING

Starting AP scan (broadcast SSID)

Trying to get current scan results first without requesting a new scan to speed up initial association

Received 192 bytes of scan results (1 BSSes)

Scan results: 1

Selecting BSS from priority group 0

0: 00:13:60:39:f2:90 ssid='hotZone' wpa_ie_len=0 rsn_ie_len=0 caps=0x11

   skip - no WPA/RSN IE

   selected non-WPA AP 00:13:60:39:f2:90 ssid='hotZone'

Trying to associate with 00:13:60:39:f2:90 (SSID='hotZone' freq=2412 MHz)

Cancelling scan request

WPA: clearing own WPA/RSN IE

Automatic auth_alg selection: 0x1

Overriding auth_alg selection: 0x1

WPA: clearing AP WPA IE

WPA: clearing AP RSN IE

WPA: clearing own WPA/RSN IE

No keys have been configured - skip key clearing

wpa_driver_wext_set_drop_unencrypted

State: SCANNING -> ASSOCIATING

WEXT: Operstate: linkmode=-1, operstate=5

wpa_driver_wext_associate

Setting authentication timeout: 10 sec 0 usec

EAPOL: External notification - portControl=Auto

Wireless event: cmd=0x8b06 len=8

Wireless event: cmd=0x8b04 len=12

Wireless event: cmd=0x8b1a len=15

Authentication with 00:00:00:00:00:00 timed out.

Added BSSID 00:13:60:39:f2:90 into blacklist

State: ASSOCIATING -> DISCONNECTED

WEXT: Operstate: linkmode=-1, operstate=5

No keys have been configured - skip key clearing

EAPOL: External notification - portEnabled=0

EAPOL: External notification - portValid=0

Setting scan request: 0 sec 0 usec

State: DISCONNECTED -> SCANNING

Starting AP scan (broadcast SSID)

Wireless event: cmd=0x8c07 len=49

AssocReq IE wireless event - hexdump(len=41): 00 07 68 6f 74 5a 6f 6e 65 01 04 82 84 8b 96 dd 18 00 50 f2 01 01 00 00 50 f2 01 01 00 00 50 f2 01 01 00 00 50 f2 00 00 00

Wireless event: cmd=0x8c08 len=14

AssocResp IE wireless event - hexdump(len=6): 01 04 82 84 8b 96

Wireless event: cmd=0x8b15 len=20

Wireless event: new AP: 00:13:60:39:f2:90

Association info event

req_ies - hexdump(len=41): 00 07 68 6f 74 5a 6f 6e 65 01 04 82 84 8b 96 dd 18 00 50 f2 01 01 00 00 50 f2 01 01 00 00 50 f2 01 01 00 00 50 f2 00 00 00

resp_ies - hexdump(len=6): 01 04 82 84 8b 96

WPA: set own WPA/RSN IE - hexdump(len=26): dd 18 00 50 f2 01 01 00 00 50 f2 01 01 00 00 50 f2 01 01 00 00 50 f2 00 00 00

State: SCANNING -> ASSOCIATED

WEXT: Operstate: linkmode=-1, operstate=5

Associated to a new BSS: BSSID=00:13:60:39:f2:90

No keys have been configured - skip key clearing

Network configuration found for the current AP

WPA: clearing AP WPA IE

WPA: clearing AP RSN IE

WPA: clearing own WPA/RSN IE

EAPOL: External notification - portControl=Auto

Associated with 00:13:60:39:f2:90

WPA: Association event - clear replay counter

EAPOL: External notification - portEnabled=0

EAPOL: External notification - portValid=0

EAPOL: External notification - portEnabled=1

EAPOL: SUPP_PAE entering state CONNECTING

EAPOL: SUPP_BE entering state IDLE

EAP: EAP entering state INITIALIZE

EAP: EAP entering state IDLE

Setting authentication timeout: 10 sec 0 usec

RX EAPOL from 00:13:60:39:f2:90

Setting authentication timeout: 70 sec 0 usec

EAPOL: Received EAP-Packet frame

EAPOL: SUPP_PAE entering state RESTART

EAP: EAP entering state INITIALIZE

EAP: EAP entering state IDLE

EAPOL: SUPP_PAE entering state AUTHENTICATING

EAPOL: SUPP_BE entering state REQUEST

EAPOL: getSuppRsp

EAP: EAP entering state RECEIVED

EAP: Received EAP-Request id=1 method=1 vendor=0 vendorMethod=0

EAP: EAP entering state IDENTITY

CTRL-EVENT-EAP-STARTED EAP authentication started

EAP: EAP-Request Identity data - hexdump_ascii(len=50):

     00 6e 65 74 77 6f 72 6b 69 64 3d 68 6f 74 5a 6f   _networkid=hotZo

     6e 65 2c 6e 61 73 69 64 3d 33 37 6f 72 31 2e 68   ne,nasid=37or1.h

     6f 74 7a 6f 6e 65 2e 64 65 2c 70 6f 72 74 69 64   otzone.de,portid

     3d 30                                             =0

EAP: using real identity - hexdump_ascii(len=15):

     50 61 61 76 6f 20 48 65 69 73 6b 61 6e 65 6e      Paavo Heiskanen

EAP: EAP entering state SEND_RESPONSE

EAP: EAP entering state IDLE

EAPOL: SUPP_BE entering state RESPONSE

EAPOL: txSuppRsp

EAPOL: SUPP_BE entering state RECEIVE

RX EAPOL from 00:13:60:39:f2:90

EAPOL: Received EAP-Packet frame

EAPOL: SUPP_BE entering state REQUEST

EAPOL: getSuppRsp

EAP: EAP entering state RECEIVED

EAP: Received EAP-Request id=2 method=17 vendor=0 vendorMethod=0

EAP: EAP entering state GET_METHOD

EAP: configuration does not allow: vendor 0 method 17

EAP: vendor 0 method 17 not allowed

EAP: Building EAP-Nak (requested type 17 vendor=0 method=0 not allowed)

EAP: allowed methods - hexdump(len=1): 0d

EAP: EAP entering state SEND_RESPONSE

EAP: EAP entering state IDLE

EAPOL: SUPP_BE entering state RESPONSE

EAPOL: txSuppRsp

EAPOL: SUPP_BE entering state RECEIVE

RX EAPOL from 00:13:60:39:f2:90

EAPOL: Received EAP-Packet frame

EAPOL: SUPP_BE entering state REQUEST

EAPOL: getSuppRsp

EAP: EAP entering state RECEIVED

EAP: Received EAP-Request id=3 method=13 vendor=0 vendorMethod=0

EAP: EAP entering state GET_METHOD

EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)

OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:02001002:system library:fopen:No such file or directory

OpenSSL: pending error: error:2006D080:BIO routines:BIO_new_file:no such file

OpenSSL: pending error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

OpenSSL: tls_load_ca_der - Failed load CA in DER format error:02001002:system library:fopen:No such file or directory

OpenSSL: pending error: error:20074002:BIO routines:FILE_CTRL:system lib

OpenSSL: pending error: error:0B06F002:x509 certificate routines:X509_load_cert_file:system lib

TLS: Failed to set TLS connection parameters

EAP-TLS: Failed to initialize SSL.

ENGINE: engine deinit

EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)

EAP: Building EAP-Nak (requested type 13 vendor=0 method=0 not allowed)

EAP: allowed methods - hexdump(len=0):

EAP: EAP entering state SEND_RESPONSE

EAP: EAP entering state IDLE

EAPOL: SUPP_BE entering state RESPONSE

EAPOL: txSuppRsp

EAPOL: SUPP_BE entering state RECEIVE

Scan timeout - try to get results

Received 192 bytes of scan results (1 BSSes)

Scan results: 1

Selecting BSS from priority group 0

0: 00:13:60:39:f2:90 ssid='hotZone' wpa_ie_len=0 rsn_ie_len=0 caps=0x11

   skip - no WPA/RSN IE

   selected non-WPA AP 00:13:60:39:f2:90 ssid='hotZone'

Trying to associate with 00:13:60:39:f2:90 (SSID='hotZone' freq=2412 MHz)

```

Last edited by tpheiska on Thu Oct 19, 2006 8:27 am; edited 1 time in total

----------

## UberLord

Looks like it cannot load "/etc/wpa-supplicant/hotzoneCA.der" 

Try removing the quotes.

----------

## tpheiska

Removing the quotes or placing single quotes does not help.

```
Line 20: failed to parse ca_cert ''/etc/wpa-supplicant/hotzoneCA.der''.

Line 20: failed to parse ca_cert ''/etc/wpa-supplicant/hotzoneCA.der''.

Line 25: failed to parse network block.

Failed to read or parse configuration '/etc/conf.d/wpa_supplicant.conf'.
```

I'm now emerging (downgraded)opensc and engine-pkcs11 and see if that helps.

----------

## tpheiska

Got it working now. Emerged downgraded opensc-0.9.4 and engine-pkcs11. Played with the config file and everything seems to be fine now. Now i'll have to start reading about creating initscripts for this (or maybe do a sudo command for it).

```
update_config=1

ctrl_interface=/var/run/wpa_supplicant

ctrl_interface_group=0

eapol_version=1

ap_scan=1

fast_reauth=1

#opensc_engine_path=/usr/lib/opensc/engine_opensc.so

pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so

pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so

network={

        ssid="hotZone"

        key_mgmt=IEEE8021X

#        pairwise=TKIP

        auth_alg=OPEN

#        group=WEP104

        proto=WPA

        eap=TLS

        identity="Paavo Heiskanen"

#       password="*****

        ca_cert="/etc/wpa_supplicant/hotzoneCA.der"

        private_key="/etc/wpa_supplicant/paavo_heiskanen.p12"

#       client_cert="/etc/wpa_supplicant/paavo_heiskanen.p12"

        private_key_passwd="*****"

        eapol_flags=3

#       priority=99

}

```

----------

