Hi, I cannot connect Android 8 and 9 devices to the network that issue using EAP-TLS for authentication. When EAP-TLS flow starts, the device gets Server hello frame with 3 certificates (network cert, intermediate cert and CA certificate) and the device returns an error message that CA certificate is self-signed (it is Entrust -G2 cert and it is on the list of trusted certificates on the device). When I change CA certificate in the network settings from CA certificate that is signing user certificate to Entrust - G2 then Server Hello frame is ok for the device and as a result the device is sending the frame with the user certificate and then the server returns the error Unknown CA.
I checked how it looks on iPad and in this case the server sends the same 3 certificates in Server hello frame and then iPad sends also 3 certificates (user cert, intermediate cert and CA certificate) and the whole authentication procedure is successful.
Has someone ever met such issue on Android or maybe know how to resolve it?
Related
Mark here.
Thanks in advance for any help offered.
Searched around here and elsewhere since last year & can't find a solution. (please don't copy whole message in reply)
Ideal solution either: 1. Able to store/save settings and password so it does not need to be entered every day (many times) or 2. Load certificate correctly.
I have a TMous HD2 running Energy ROM (Feb 2011 version)
Connects fine to home WiFi's without prompts. Also to about 10 others when traveling - no probs.
It does not connect easily to my work WiFi. I have worked out a method, but I need to re-enter settings and password many times a day. With high security p/w with various characters etc it's a real pain.
To do so, I have setup link to WLANSettings.exe on home screen. I use these settings: 1. Work (not internet), 2. WPA2/AES, 3. PEAP (not Smart card or cert). OK. Then asks for login, password (no domain needed). First time enter login etc it doesn't connect. Second time I've learned to hit OK again and after a few seconds it connects.
If I go though the 'normal' WiFi setup it asks for a Certificate. I enter the server for the cert, password as above and it will not find it. They gave me a cert file ('home grown' PEAP Authority certificate Thawte Premium Server CA) but it loads into Intermediate, not Personal and does not work. Apparently iPhone & iPad link to cert server and install it fine.
Tried:
1. I tried Odyssey (Odyssey Access Client for Windows MobileCE - Juniper Networks ). Helps, but not perfect, but it messes up my home connection. so uninstalled (updated ROM since then)
2. Tried programs to load cert. No go. (p12imprt, pfximprt; smartphoneaddcert). Various error messages - can't remember them - along the lines of not signed, not .pfx cert etc.
3. Exported cert. from PC's (WinXP) Firefox. Can't convert it to a .pfx to use the above.
Work does not support Win Mobile. So no support offered - though they've tried to help.
The settings for my mates Nokia which does work are:
PEAP and the fields are:
Personal certificate: not defined
Authority certificate: Thawte Premium Server CA User name in use: user defined User name: 'must leave blank'
Realm in use: user defined
Realm: 'must leave blank'
Allow PEAPv0: Yes
Allow PEAPv1: Yes
Allow PEAPv2: No
Under MSCHAPv2 within PEAP settings are
User name : your 'username'
Prompt password: no
Password: your 'password'
Have tried following also (rough notes):
HKEY_LOCAL_MACHINE\Comm\EAP\Extension\25.
"InvokePasswordDialog" and "InvokeUserNameDialog" value 1, switch to 0. Works till restart.
go to commMan/ menu/ settings set work & proxy or commMan/Conns/conns
changed to HKLM, gone to directory comm\EAP\extension\25. added a folder called validateservercert and added a key to this folder - DWORD. it asks me to edit the DWORD value - in value data i have added 00000000 and selected hexadecimal.
add the key [HKEY_LOCAL_MACHINE\Comm\EAP\Extension\25] and [HKEY_LOCAL_MACHINE\Comm\EAP\Extension\26]
Mmm... 'tis a difficult one.
>"Ideal solution either: 1. Able to store/save settings and password so it does not
>need to be entered every day (many times) or 2. Load certificate correctly."
Another alternative would be software to manage WiFi login - that saves passwords.
I tried Odyssey, but it messed up home connections. WiFi Monster does not do it.
Anything out there?
Mark
Hey Everyone,
I recently downloaded and installed "PHP for Android." I created a .php file that utilizes an SSL connection with port 2195. When I tried running it, I get the following error message:
HTML:
Error:14094410:SSL routines:func(148):reason(1040) in /mnt/sdcard/sl4a/scripts/lot.php on line 19
Warning: stream_socket_client(): Failed to enable crypto in /mnt/sdcard/sl4a/scripts/lot.php on line 19
Warning: stream_socket_client(): unable to connect to ssl://gateway.sandbox.push.apple.com:2195 (Unknown error) in /mnt/sdcard/sl4a/scripts/lot.php on line 19
This is my line 19:
"$apns = stream_socket_client('ssl://gateway.sandbox.push.apple.com:2195', $error, $errorString, 2, STREAM_CLIENT_CONNECT, $streamContext);"
I researched what "reason(1040)" means, and supposedly it means that the port is closed. But what firewall is blocking it? The same exact script works when I execute it from my computer from the same wifi connection. Could it be a firewall inside the Android OS?
Any input will be greatly appreciated!!
Thanks!
Does anyone know?
Hey,
We also got that error with the iPhone Push service, and it was due to the certificate not being set correctly (actually the certificate file didn't exist).
I hope this solves your problem if you haven't solved it by now.
Regards,
Chris
Hello All,
I have been searching for a solution to the below mentioned issue all over the net since last one month and finally referred to this forum by my vpn service provider 'cyberghostvpn'.
I am enclosing my config file (test.ovpn.txt), log file(log.txt) & sample password file for 'auth-user-pass' (pass.txt).
Following are the highlighted points regarding this issue :
While the same config file is working fine on my linux machine on android the same is stopping at the prompt "Enter Auth Username :". After entering username the connection sequence continues but the prompt "Enter Auth Password :" never comes like linux.
Hence my analysis is that the openvpn binary is unable to pass my the username-passowrd combination to my vpn server in the console input mode and an auth-failure control message is received shortly later terminating the connection.
If I pass the username-passord combination through the password file as 'auth-user-pass pass.txt' then also the same thing happens (an auth-failure control message is received terminating the connection).
In linux both of these methods are working successfully in establishing the connection proving that there is nothing wrong with cyberghostvpn.
One important point is though on android the openvpn binary is unable to read the config from the .ovpn file, it runs when the options are given as command line arguments as shown below and the enclosed log file is generated in this method.
# openvpn --client --ca ca.crt --cert my_user_name.crt --key my_user_name.key --remote ch.openvpn.cyberghostvpn.com 9081 ..........--tun-mtu 1500 --fragment 1300 --mssfix > log.txt
Anyone who can either help me resolving this issue or refer it to some expert developer on openvpn will be very much appreciated.
Kind regards,
kingsukm
Hi,
I'm trying to install a self-signed user certificate on Cyanogenmod 11 with Android 4.4.4. I know that there are some issues with this, but in many reports they say, it is easy to install when i take it directly from the SD card. Unfortunately, it is not working on my device and I'm not sure if my OS or my certificate is the problem.
I have tried several things, from using the PEM format or DER format, and also tried to use a signed certificate from CAcert.org. Btw, concering the root certificates: I was able to install them as user-certificates and they're shown up on the right place. However, I got the annoy security warning, but I can deal with it.
So let's start with the procedure to create my certificate:
1. I installed the root and the class3 certificate vom cacert.org. Everything is nice, the certificates are listed in user certificates.
2. Key generation:
Code:
openssl genrsa -des3 -out server.key 4096
3. CSR creation, using for both, self-signing and cacert signing
Code:
openssl req -new -key server.key -out server.csr
4.a Create self-signed certificate by myself:
Code:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
4.b Put server.csr on cacert.org, create certificate, save it in "server_cacert.crt"
5. Converting to binary format:
Code:
openssl x509 -in server.crt -outform DER -out server_der.crt
With this, my certificate creation is finished. Now I put all four different versions on the internal storage on my smartphone. I go to the security settings -> "Install from internal storage" -> choosing one of the certificates.
I'm then asked for a name fort the cert, choosing "usage for vpn and apps", and -> "Save". A popup with "Cert ... successfully installed" afterwards.
But: When i have a look a the user certification list, none of the created certificates is working. I only got the cacert root certs installed.
I have no idea what to do now. One solution which was discussed, was to install the certs as system certificate. But for this, I need to root my smartphone and this is one thing I don't want to do.
So, hopefully you can find the fault in my procedure, so I can get it installed without root privileges.
Thank you for your support,
Kind regards,
-Cyanide-
Sorry for pushing this thread... but I really have no idea what to do? I guess, I'm not the first person who tries to install a certificate, so hopefully you can share your experience?
In my opinion, the fault may be in the certificate creation, because I'm able to install the root certificates from cacert.org..
thanks again
I would also like to know
Short update:
It is working now. But I'm not sure, if it's good the way I did it.
I used easy-rsa to create a ca.crt. I was able to import this one to Android, like it was working before with cacert root certificates. On the server side, I use the crt and key also for my DAV server. With this combination, everything is fine, but I'm not sure if this is the right way, how the certificates should be used.
I am trying to connect an email app (AquaMail) on my phone (Sprint Samsung Note 4, stock rooted, Android OS 5.0.1) to my email server (IMAP) using SSL. When I try this, I get the following error message:
Incoming mail server (IMAP): Invalid security (SSL) certificate. java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
The server to which I am trying to connect is my own VPS. I do have a wild card certificate installed on the site and I believe it is installed properly. I say this because of the report I generated on www.ssllabs.com/ssltest:
Certificate: 100%
Protocol Support: 95%
Key Exchange: 90%
Cipher Strength: 90%
Two certification paths are shown: mail.mydomain.com -> StartCom Class 2 Primary Intermediate Server CA -> StartCom Certification Authority (one path shows this with SHA1withRSA and the other shows SHA256withRSA).
Looking at the Handshake Simulation section, it clearly shows that Android 5.0.0 functions properly, but is also shows that Java 7u25 has a 'protocol or cipher suite mismatch'. This same warning shows up for other, deprecated systems and is probably due to my having turned off older, insecure access protocols.
Can anyone suggest how to get this working properly? Yes, I could work around this by a) allowing all certificate or b) not using secure protocols; but neither of these are solutions.
Thank you for your help!