Bug 1236548

Summary: incorrect usage of system CA certs with wpa_supplicant
Product: [Fedora] Fedora Reporter: Roman Kagan <rkagan>
Component: NetworkManagerAssignee: Lubomir Rintel <lkundrak>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 22CC: awilliam, dcbw, lkundrak, psimerda, rkhan, thaller
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: NetworkManager-1.0.4-1.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 19:51:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Roman Kagan 2015-06-29 12:06:29 UTC 
Description of problem:

NM fails to connect to a wpa-enterprise network despite the CA certificates are properly added to the system CA trust store.

Version-Release number of selected component (if applicable):
NetworkManager-1.0.2-1.fc22.x86_64
wpa_supplicant-2.3-3.fc22.x86_64
openssl-1.0.1k-10.fc22.x86_64
ca-certificates-2015.2.4-1.0.fc22.noarch

How reproducible:
always

Steps to Reproduce:
1. add CA certificate to system trust store per update-ca-trust(8)
2. try to connect to a WPA-Enterprise network using a certificate signed by that CA

Actual results:
connection failure; /var/log/wpa_supplicant.log containing
...
TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 1 for '... CA'
wlp4s0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='... CA' err='unable to get local issuer certificate'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
wlp4s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
...

Expected results:
connection succeeds

Additional info:

When 802-1x.ca-cert and 802-1x.ca-path are unset and 802-1x.system-ca-certs is true, NetworkManager passes ca_path=/etc/pki/tls/certs to wpa_supplicant (ditto for 802-1x.phase2-ca-cert and 802-1x.phase2-ca-cert => ca_path2).

The problem is that ca_path is treated by wpa_supplicant as an openssl ca certificate *directory* (third argument to https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html), but nothing in Fedora populates that directory with individual certificates.  Rather, per https://fedoraproject.org/wiki/Features/SharedSystemCertificates, openssl should be pointed at one of the ca-bundle pem files (e.g. /etc/pki/tls/cert.pem).
Comment 1 Jirka Klimes 2015-06-30 08:00:01 UTC 
NetworkManager.spec contains "--with-system-ca-path=/etc/pki/tls/certs". As you wrote, the directory is used as ca_path option for wpa_supplicant that passes that to SSL_CTX_load_verify_locations(). And it doesn't work because Fedora uses certificate bundle files instead of directories with individual hashed certificates.

There are quite extensive discussion about trusted certificate store and such. Reading through it, I seem to be unable to find out the best solution.

I guess we could either specify ca_cert parameter for wpa_supplicant (https://w1.fi/cgit/hostap/tree/src/crypto/tls_openssl.c#n1792) as "/etc/pki/tls/cert.pem" instead of ca_path. The file is a link to the proper extracted certificates.
/etc/pki/tls/cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

Or, it might be better if wpa_supplicant used SSL_CTX_set_default_verify_paths(), which would cause using default OpenSSL trust store.

Here are some interesting links:
* bug 1053882
* bug 873373
* https://bugs.archlinux.org/task/43450
* https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
* http://lists.shmoo.com/pipermail/hostap/2008-December/018936.html
Comment 2 Adam Williamson 2015-06-30 15:31:12 UTC 
FWIW I'd say you're exactly right, Jirka - the ideal would be for wpa_supplicant to use SSL_CTX_set_default_verify_paths() (with the caveat that I believe it's used on Android and I haven't investigated at all whether that works on Android or not); otherwise, setting ca_path to /etc/pki/tls/ca-bundle.crt would be the preferred choice.

I don't know if NM uses its setting for anything else, but it's notable that NM's configure script *only* allows you to specify a CA path, not a CA bundle file location. We do in fact have a directory in the expected format:

/etc/pki/ca-trust/extracted/pem/directory-hash/

which we could point it to; I don't think it's terribly commonly used, but it ought to work.

Note I have a proposal and patches in https://bugzilla.redhat.com/show_bug.cgi?id=1053882 to make ca-certificates provide /etc/ssl/certs in the hashed-directory format, which seems to have gotten stuck, no response from the maintainers lately.
Comment 3 Roman Kagan 2015-06-30 16:05:39 UTC 
(In reply to Adam Williamson from comment #2)
> the ideal would be for
> wpa_supplicant to use SSL_CTX_set_default_verify_paths()

Well the logic in wpa_supplicant is not so straightforward: currently if neither ca_path nor ca_file is given it opts not to verify certificates at all.  So it'll probably need an extra option then to distinguish between no-verify and verify-with-default-certs.  Anyway, as you point out, wpa_supplicant has broader usage than NM, so I thought it was easier for NM to adjust.

> otherwise, setting ca_path to
> /etc/pki/tls/ca-bundle.crt would be the preferred choice.

No, ca_path is interpreted as a directory.  It has to be ca_file pointing at this file (you mean /etc/pki/tls/cert.pem or /etc/pki/tls/certs/ca-bundle.crt, don't you?)

> NM's configure script *only* allows you to specify a CA path, not a CA
> bundle file location.

It's not a big deal to test if it's given a file or a directory, and make up an appropriate option for wpa_supplicant.  (Arguably it should have done so for 802-1x.ca-cert instead of creating 802-1x.ca-path, too, but it's to late now.)

> We do in fact have a directory in the expected format:
> 
> /etc/pki/ca-trust/extracted/pem/directory-hash/

Do we?  Which package / version?
Comment 4 Adam Williamson 2015-06-30 16:13:40 UTC 
Roman: please make all obvious corrections to any emails I send before 8am. ;) Yes, I meant ca_file and /etc/pki/tls/certs/ca-bundle.crt .

"Do we?  Which package / version?" [referring to /etc/pki/ca-trust/extracted/pem/directory-hash/]

Ah, crap - I just realized that's part of my patch posted in #1053882, not part of current ca-certificates. Sorry, I forgot. So indeed, current official ca-certificates does not provide a hashed directory, only bundle files.
Comment 5 Jirka Klimes 2015-07-01 13:49:16 UTC 
I was not able to find /etc/pki/ca-trust/extracted/pem/directory-hash/ too. That's a pity it is not there.
So I think the easiest way is to enhance 'with_system_ca_path' in NetworkManager to allow either a directory or a filename. And in the latter case, NM will populate wpa_supplicant's ca_cert instead of ca_path.

I pushed a branch with the fix upstream: jk/system-ca-certs-rh1236548

Fedora 22 NetworkManager test build:
http://koji.fedoraproject.org/koji/taskinfo?taskID=10259225
Comment 6 Dan Williams 2015-07-02 20:37:31 UTC 
LGTM
Comment 7 Jirka Klimes 2015-07-08 15:14:58 UTC 
Committed upstream:
master: 640eb8f supplicant: allow with_system_ca_path to be a file name (rh #1236548)
nm-1-0: c73eeb3 supplicant: allow with_system_ca_path to be a file name (rh #1236548)
Comment 8 Fedora Admin XMLRPC Client 2015-08-18 15:00:18 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 9 Fedora End Of Life 2016-07-19 19:51:45 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 10 Adam Williamson 2016-08-19 22:16:28 UTC 
This would've been fixed at some point as an update was submitted, so let's change resolution to ERRATA.