1

I'm trying to connect Raspberry Pi to a EAP-TLS Wi-Fi access point. The connection fails:

wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: tls_connection_private_key - Failed to load private key error:00000000:lib(0):func(0):reason(0) TLS: Failed to load private key '/etc/ssl/private/demo.key' TLS: Failed to set TLS connection parameters EAP-TLS: Failed to initialize SSL.

When I search for “ASN1_CHECK_TLEN:wrong tag,” all I can find is the suggestions that the certificate file is somehow damaged, and that I need to check that there are no leading or trailing spaces. The file seems fine, besides when I run openssl rsa -check -noout -in /etc/ssl/private/demo.key, it prompts for the pass phrase, and when I enter one, it prints: “RSA key ok.”

I also double-checked the password stored in private_key_passwd in wpa_supplicant.conf and it looks correct.

How do I figure out what's wrong?

Improve this question

1 Answer 1

Reset to default
1

openssl rsa expects a PEM encoded RSA key by default, but the error message suggests the wpa_supplicant is assuming that the key file is PKCS#12 encoded.

After reading the description of the private_key configuration item of wpa_supplicant.conf in /usr/share/doc/wpa_supplicant/examples/wpa_supplicant.conf, it seems the behavior is as follows:

  • if your client certificate and the corresponding private key are in PEM format, you should specify the filenames of both of them, using client_cert and private_key configuration items, respectively.

  • if your client certificate and private key are in a single PKCS#12 file (suffix typically .pfx or .p12, not directly readable with openssl rsa), then you should only specify the filename with the private_key configuration item, and not use the client_cert configuration item at all. In other words, if client_cert is not specified and private_key is a plain filename, wpa_supplicant will expect a PKCS#12 format.

  • if the client_cert configuration item does not exist and the private_key configuration item contains one of several possible URI-style formats, these will be interpreted as references to PKCS#11 tokens (smart cards) or to certificates stored in Windows certificate store, if applicable.

It looks like you've failed to specify client_cert in wpa_supplicant.conf.

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.