Ignoring expired EAP TLS cert


I am using openwrt to relay BTWifi-X. I am authenticating using EAP, and have installed their DigiCert root certificate as ca_cert. It has been working well for months, but when (for an unknown reason) my router reconnected to BTWifi-X just now, I am getting a certificate expiration error because for some reason I am offered their old, expired X509 (which is actually signed by another DigiCert root), instead of their current certificate.
I don't know why BT has reverted to their old certificate (presumably a config error), but until BT notices and fixes it, is there a way for me to ignore this expiration? I can't find any such option in the network config guides.


Remove or comment out ca_cert and it should do mostly what you ask and connect anyway without verifying the AP's certificate. There isn't a way to tell it to accept an expired certificate when all details match except the expiration. A certificate is either good or it is bad.

This is a significant security risk because someone can set up a phony AP and you will connect and pass all your Internet usage through it. Also you will send your (hashed) BT password to the operator of the phony AP.

1 Like

I tried that; setting wireless config to:

config wifi-iface 'wifinet2'
        option ssid 'BTWifi-X'
        option network 'wwan'
        option device 'radio0'
        option mode 'sta'
        option ca_cert '' #only line changed, this previously was the digicert.pem
        option identity 'ID'
        option password 'PW'
        option disable '0'
        option eap_type 'ttls'
        option auth 'PAP'
        list domain_match ' 8021x.bt.com'
        option encryption 'wpa2+ccmp'

fails with log message: "Authentication timed out". It appears that wpa_supplicant doesn't actually tries to authenticate now. Previously the log showed many messages about trying to authenticate, starting with
wpa_supplicant[24888]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started, but none like this appear now.

There is a difference between null string and not set at all. To make it work, comment out the ca_cert line entirely.

Authentication TTLS-PAP means that the operator of a phony AP will have your username and password in plaintext and can immediately impersonate you to BT! The AP certificate, and clients verifying it before proceeding, is critical to the security of this system.

1 Like

I did also try it with the line commented out entirely; and the behaviour is identical. I am now rebooting the router instead of just doing /etc/init.d/network restart, maybe that makes a difference.

edit: Well it didn't. I have returned to my original config (with ca_cert set to the latest DigiCert), and now no attempt at EAP auth is occuring either... BT-Wifi (without X) still works, so I think BT is having issues.

Thank you for the help; I appreciate the security warning, but no internet is far worse than a remote chance of a man-in-the-middle attack.

Hi @JS29

Did you manage to solve this?

Not really. I switched to using BT-Wifi for a day or two, and then BT-Wifi-X worked again.