Bug 1453066

Summary: Can't connect to PEAP / GTC wireless network
Product: [Fedora] Fedora Reporter: Steven Haigh <netwiz>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: bgalvani, code, dcbw, fgiudici, lkundrak, netwiz, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openssl-1.1.0f-3.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-17 19:43:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
initial output of tshark -nV -i wlp2s0
none
Output of running wpa_supplicant with suggested wpas.conf
none
tshark output with config as per comment 20
none
Packet trace of successful connection with F25 live boot none

Description Steven Haigh 2017-05-22 05:15:12 UTC 
Description of problem:
After upgrade from Fedora 25 to 26, I lost the ability to connect to our corporate PEAP/GTC wireless network.


Version-Release number of selected component (if applicable):
# rpm -qa | grep Network | sort
NetworkManager-1.8.0-2.fc26.x86_64
NetworkManager-adsl-1.8.0-2.fc26.x86_64
NetworkManager-bluetooth-1.8.0-2.fc26.x86_64
NetworkManager-config-connectivity-fedora-1.8.0-2.fc26.noarch
NetworkManager-glib-1.8.0-2.fc26.x86_64
NetworkManager-l2tp-1.2.6-1.fc26.x86_64
NetworkManager-libnm-1.8.0-2.fc26.x86_64
NetworkManager-libreswan-1.2.4-2.fc26.x86_64
NetworkManager-openconnect-1.2.4-4.fc26.x86_64
NetworkManager-openvpn-1.2.10-1.fc26.x86_64
NetworkManager-pptp-1.2.4-2.fc26.x86_64
NetworkManager-team-1.8.0-2.fc26.x86_64
NetworkManager-vpnc-1.2.4-2.fc26.x86_64
NetworkManager-wifi-1.8.0-2.fc26.x86_64
NetworkManager-wwan-1.8.0-2.fc26.x86_64

Logs from trying to connect. SSID & username sanitised:
NetworkManager[980]: <info>  [1495429811.7853] device (wlp2s0): Activation: starting connection '<SSID>' (8a00ef82-4757-460f-aab8-87d5122c7522)
NetworkManager[980]: <info>  [1495429811.7854] audit: op="connection-activate" uuid="8a00ef82-4757-460f-aab8-87d5122c7522" name="<SSID>" pid=1264 uid=1000 result="success"
NetworkManager[980]: <info>  [1495429811.7856] device (wlp2s0): state change: disconnected -> prepare (reason 'none') [30 40 0]
NetworkManager[980]: <info>  [1495429811.8161] device (wlp2s0): set-hw-addr: reset MAC address to 24:77:03:F2:26:70 (preserve)
kernel: iwlwifi 0000:02:00.0: L1 Enabled - LTR Disabled
kernel: iwlwifi 0000:02:00.0: L1 Enabled - LTR Disabled
kernel: iwlwifi 0000:02:00.0: Radio type=0x0-0x3-0x1
kernel: iwlwifi 0000:02:00.0: L1 Enabled - LTR Disabled
kernel: iwlwifi 0000:02:00.0: L1 Enabled - LTR Disabled
kernel: iwlwifi 0000:02:00.0: Radio type=0x0-0x3-0x1
kernel: IPv6: ADDRCONF(NETDEV_UP): wlp2s0: link is not ready
NetworkManager[980]: <info>  [1495429812.1492] device (wlp2s0): supplicant interface state: inactive -> disabled
NetworkManager[980]: <info>  [1495429812.1497] device (wlp2s0): supplicant interface state: disabled -> inactive
NetworkManager[980]: <info>  [1495429812.1500] device (wlp2s0): state change: prepare -> config (reason 'none') [40 50 0]
NetworkManager[980]: <info>  [1495429812.1502] device (wlp2s0): Activation: (wifi) access point '<SSID>' has security, but secrets are required.
NetworkManager[980]: <info>  [1495429812.1502] device (wlp2s0): state change: config -> need-auth (reason 'none') [50 60 0]
kded5[2212]: plasma-nm: Unhandled active connection state change:  1
NetworkManager[980]: <info>  [1495429812.1747] device (wlp2s0): state change: need-auth -> prepare (reason 'none') [60 40 0]
NetworkManager[980]: <info>  [1495429812.1751] device (wlp2s0): state change: prepare -> config (reason 'none') [40 50 0]
NetworkManager[980]: <info>  [1495429812.1753] device (wlp2s0): Activation: (wifi) connection '<SSID>' has security, and secrets exist.  No new secrets needed.
NetworkManager[980]: <info>  [1495429812.1753] Config: added 'ssid' value '<SSID>'
NetworkManager[980]: <info>  [1495429812.1753] Config: added 'scan_ssid' value '1'
NetworkManager[980]: <info>  [1495429812.1753] Config: added 'key_mgmt' value 'WPA-EAP'
NetworkManager[980]: <info>  [1495429812.1753] Config: added 'password' value '<hidden>'
NetworkManager[980]: <info>  [1495429812.1753] Config: added 'eap' value 'PEAP'
NetworkManager[980]: <info>  [1495429812.1754] Config: added 'fragment_size' value '1266'
NetworkManager[980]: <info>  [1495429812.1754] Config: added 'phase2' value 'auth=GTC'
NetworkManager[980]: <info>  [1495429812.1754] Config: added 'ca_cert' value '/etc/pki/tls/certs/ca-bundle.trust.crt'
NetworkManager[980]: <info>  [1495429812.1754] Config: added 'identity' value '<username>'
NetworkManager[980]: <info>  [1495429812.1754] Config: added 'bgscan' value 'simple:30:-65:300'
NetworkManager[980]: <info>  [1495429812.1754] Config: added 'proactive_key_caching' value '1'
NetworkManager[980]: <info>  [1495429812.1845] device (wlp2s0): supplicant interface state: inactive -> scanning
wpa_supplicant[1079]: wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz)
kernel: wlp2s0: authenticate with 04:bd:88:ba:e1:31
kernel: wlp2s0: send auth to 04:bd:88:ba:e1:31 (try 1/3)
NetworkManager[980]: <info>  [1495429815.1267] device (wlp2s0): supplicant interface state: scanning -> authenticating
wpa_supplicant[1079]: wlp2s0: Trying to associate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz)
kernel: wlp2s0: authenticated
kernel: wlp2s0: associate with 04:bd:88:ba:e1:31 (try 1/3)
kernel: wlp2s0: RX AssocResp from 04:bd:88:ba:e1:31 (capab=0x11 status=0 aid=3)
wpa_supplicant[1079]: wlp2s0: Associated with 04:bd:88:ba:e1:31
wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
kernel: wlp2s0: associated
kernel: IPv6: ADDRCONF(NETDEV_CHANGE): wlp2s0: link becomes ready
NetworkManager[980]: <info>  [1495429815.1974] device (wlp2s0): supplicant interface state: authenticating -> associated
wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
kernel: wlp2s0: Limiting TX power to 23 (23 - 0) dBm as advertised by 04:bd:88:ba:e1:31
wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
kernel: wlp2s0: deauthenticated from 04:bd:88:ba:e1:31 (Reason: 3=DEAUTH_LEAVING)
wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:31 reason=3
wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="<SSID>" auth_failures=1 duration=10 reason=CONN_FAILED
NetworkManager[980]: <warn>  [1495429815.3668] sup-iface[0x55a60b6b4500,wlp2s0]: connection disconnected (reason 3)
NetworkManager[980]: <info>  [1495429815.3718] device (wlp2s0): supplicant interface state: associated -> disconnected
wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wpa_supplicant[1079]: wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
NetworkManager[980]: <info>  [1495429815.4710] device (wlp2s0): supplicant interface state: disconnected -> scanning
kded5[2212]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "RxBytes"
kded5[2212]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "TxBytes"
plasmashell[1264]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "RxBytes"
plasmashell[1264]: networkmanager-qt: virtual void NetworkManager::DevicePrivate::propertyChanged(const QString&, const QVariant&) Unhandled property "TxBytes"
Comment 1 Steven Haigh 2017-05-22 05:16:10 UTC 
Just to confirm, this worked in Fedora 25.

Have removed the connection from NM and re-created. Still no joy.
Comment 2 Steven Haigh 2017-05-23 00:46:28 UTC 
Have tested with the following updates. Issue still exists:

# rpm -qa | grep Network | sort
NetworkManager-1.8.0-3.fc26.x86_64
NetworkManager-adsl-1.8.0-3.fc26.x86_64
NetworkManager-bluetooth-1.8.0-3.fc26.x86_64
NetworkManager-config-connectivity-fedora-1.8.0-3.fc26.noarch
NetworkManager-glib-1.8.0-3.fc26.x86_64
NetworkManager-l2tp-1.2.6-1.fc26.x86_64
NetworkManager-libnm-1.8.0-3.fc26.x86_64
NetworkManager-libreswan-1.2.4-2.fc26.x86_64
NetworkManager-openconnect-1.2.4-4.fc26.x86_64
NetworkManager-openvpn-1.2.10-1.fc26.x86_64
NetworkManager-pptp-1.2.4-2.fc26.x86_64
NetworkManager-team-1.8.0-3.fc26.x86_64
NetworkManager-vpnc-1.2.4-2.fc26.x86_64
NetworkManager-wifi-1.8.0-3.fc26.x86_64
NetworkManager-wwan-1.8.0-3.fc26.x86_64
Comment 3 Steven Haigh 2017-05-23 05:11:18 UTC 
After setting wpa_supplicant to debug mode via:
busctl set-property fi.w1.wpa_supplicant1 \
                    /fi/w1/wpa_supplicant1 \
                    fi.w1.wpa_supplicant1 DebugLevel s debug

I think this is the part of the log that contains the information required...

NetworkManager[5674]: <info>  [1495515827.5548] device (wlp2s0): supplicant interface state: associating -> associated
wpa_supplicant[1040]: l2_packet_receive: src=04:bd:88:ba:e1:31 len=46
wpa_supplicant[1040]: wlp2s0: RX EAPOL from 04:bd:88:ba:e1:31
wpa_supplicant[1040]: EAP: EAP-Request Identity data - hexdump_ascii(len=0):
wpa_supplicant[1040]: EAP: using real identity - hexdump_ascii(len=6):
wpa_supplicant[1040]:      73 68 61 69 67 68                                 <username>
wpa_supplicant[1040]: wlp2s0: Setting authentication timeout: 70 sec 0 usec
wpa_supplicant[1040]: EAPOL: Received EAP-Packet frame
wpa_supplicant[1040]: EAPOL: SUPP_PAE entering state RESTART
wpa_supplicant[1040]: EAP: EAP entering state INITIALIZE
wpa_supplicant[1040]: EAP: EAP entering state IDLE
wpa_supplicant[1040]: EAPOL: SUPP_PAE entering state AUTHENTICATING
wpa_supplicant[1040]: EAPOL: SUPP_BE entering state REQUEST
wpa_supplicant[1040]: EAPOL: getSuppRsp
wpa_supplicant[1040]: EAP: EAP entering state RECEIVED
wpa_supplicant[1040]: EAP: Received EAP-Request id=1 method=1 vendor=0 vendorMethod=0
wpa_supplicant[1040]: EAP: EAP entering state IDENTITY
wpa_supplicant[1040]: wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wpa_supplicant[1040]: EAP: Status notification: started (param=)
wpa_supplicant[1040]: EAP: EAP entering state SEND_RESPONSE
wpa_supplicant[1040]: EAP: EAP entering state IDLE
wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RESPONSE
wpa_supplicant[1040]: EAPOL: txSuppRsp
wpa_supplicant[1040]: TX EAPOL: dst=04:bd:88:ba:e1:31
wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RECEIVE
kernel: wlp2s0: Limiting TX power to 23 (23 - 0) dBm as advertised by 04:bd:88:ba:e1:31
wpa_supplicant[1040]: l2_packet_receive: src=04:bd:88:ba:e1:31 len=46
wpa_supplicant[1040]: wlp2s0: RX EAPOL from 04:bd:88:ba:e1:31
wpa_supplicant[1040]: EAPOL: Received EAP-Packet frame
wpa_supplicant[1040]: EAPOL: SUPP_BE entering state REQUEST
wpa_supplicant[1040]: EAPOL: getSuppRsp
wpa_supplicant[1040]: EAP: EAP entering state RECEIVED
wpa_supplicant[1040]: EAP: Received EAP-Request id=2 method=13 vendor=0 vendorMethod=0
wpa_supplicant[1040]: EAP: EAP entering state GET_METHOD
wpa_supplicant[1040]: EAP: configuration does not allow: vendor 0 method 13
wpa_supplicant[1040]: EAP: vendor 0 method 13 not allowed
wpa_supplicant[1040]: wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wpa_supplicant[1040]: EAP: Status notification: refuse proposed method (param=TLS)
wpa_supplicant[1040]: EAP: Building EAP-Nak (requested type 13 vendor=0 method=0 not allowed)
wpa_supplicant[1040]: EAP: allowed methods - hexdump(len=1): 19
wpa_supplicant[1040]: EAP: EAP entering state SEND_RESPONSE
wpa_supplicant[1040]: EAP: EAP entering state IDLE
wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RESPONSE
wpa_supplicant[1040]: EAPOL: txSuppRsp
wpa_supplicant[1040]: TX EAPOL: dst=04:bd:88:ba:e1:31
wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RECEIVE
wpa_supplicant[1040]: l2_packet_receive: src=04:bd:88:ba:e1:31 len=46
wpa_supplicant[1040]: wlp2s0: RX EAPOL from 04:bd:88:ba:e1:31
wpa_supplicant[1040]: EAPOL: Received EAP-Packet frame
wpa_supplicant[1040]: EAPOL: SUPP_BE entering state REQUEST
wpa_supplicant[1040]: EAPOL: getSuppRsp
wpa_supplicant[1040]: EAP: EAP entering state RECEIVED
wpa_supplicant[1040]: EAP: Received EAP-Request id=3 method=25 vendor=0 vendorMethod=0
wpa_supplicant[1040]: EAP: EAP entering state GET_METHOD
wpa_supplicant[1040]: wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wpa_supplicant[1040]: EAP: Status notification: accept proposed method (param=PEAP)
wpa_supplicant[1040]: EAP: Initialize selected EAP method: vendor 0 method 25 (PEAP)
wpa_supplicant[1040]: TLS: Phase2 EAP types - hexdump(len=8): 00 00 00 00 06 00 00 00
wpa_supplicant[1040]: TLS: using phase1 config options
wpa_supplicant[1040]: wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wpa_supplicant[1040]: EAP: EAP entering state METHOD
wpa_supplicant[1040]: SSL: Received packet(len=6) - Flags 0x20
wpa_supplicant[1040]: EAP-PEAP: Start (server ver=0, own ver=1)
wpa_supplicant[1040]: EAP-PEAP: Using PEAP version 0
wpa_supplicant[1040]: SSL: (where=0x10 ret=0x1)
wpa_supplicant[1040]: SSL: (where=0x1001 ret=0x1)
wpa_supplicant[1040]: SSL: SSL_connect:before SSL initialization
wpa_supplicant[1040]: OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
wpa_supplicant[1040]: OpenSSL: TX ver=0x303 content_type=22 (handshake/client hello)
wpa_supplicant[1040]: SSL: (where=0x1001 ret=0x1)
wpa_supplicant[1040]: SSL: SSL_connect:SSLv3/TLS write client hello
wpa_supplicant[1040]: SSL: (where=0x1002 ret=0xffffffff)
wpa_supplicant[1040]: SSL: SSL_connect:error in SSLv3/TLS write client hello
wpa_supplicant[1040]: SSL: SSL_connect - want more data
wpa_supplicant[1040]: SSL: 172 bytes pending from ssl_out
wpa_supplicant[1040]: SSL: 172 bytes left to be sent out (of total 172 bytes)
wpa_supplicant[1040]: EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x559ae3d522b0
wpa_supplicant[1040]: EAP: EAP entering state SEND_RESPONSE
wpa_supplicant[1040]: EAP: EAP entering state IDLE
wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RESPONSE
wpa_supplicant[1040]: EAPOL: txSuppRsp
wpa_supplicant[1040]: TX EAPOL: dst=04:bd:88:ba:e1:31
wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RECEIVE
wpa_supplicant[1040]: l2_packet_receive: src=04:bd:88:ba:e1:31 len=46
wpa_supplicant[1040]: wlp2s0: RX EAPOL from 04:bd:88:ba:e1:31
wpa_supplicant[1040]: EAPOL: Received EAP-Packet frame
wpa_supplicant[1040]: EAPOL: SUPP_BE entering state REQUEST
wpa_supplicant[1040]: EAPOL: getSuppRsp
wpa_supplicant[1040]: EAP: EAP entering state RECEIVED
wpa_supplicant[1040]: EAP: Ignored EAP-Response
wpa_supplicant[1040]: EAP: EAP entering state DISCARD
wpa_supplicant[1040]: EAP: EAP entering state IDLE
wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RECEIVE
wpa_supplicant[1040]: l2_packet_receive: src=04:bd:88:ba:e1:31 len=46
wpa_supplicant[1040]: wlp2s0: RX EAPOL from 04:bd:88:ba:e1:31
wpa_supplicant[1040]: EAPOL: Received EAP-Packet frame
wpa_supplicant[1040]: EAPOL: SUPP_BE entering state REQUEST
wpa_supplicant[1040]: EAPOL: getSuppRsp
wpa_supplicant[1040]: EAP: EAP entering state RECEIVED
wpa_supplicant[1040]: EAP: Received EAP-Failure
wpa_supplicant[1040]: EAP: Status notification: completion (param=failure)
wpa_supplicant[1040]: EAP: EAP-Success Id mismatch - reqId=2 lastId=3
wpa_supplicant[1040]: EAP: EAP entering state DISCARD
wpa_supplicant[1040]: EAP: EAP entering state IDLE
wpa_supplicant[1040]: EAPOL: SUPP_BE entering state RECEIVE
kernel: wlp2s0: deauthenticated from 04:bd:88:ba:e1:31 (Reason: 3=DEAUTH_LEAVING)
Comment 4 Steven Haigh 2017-05-23 06:22:17 UTC 
Connection properties via 'nmcli con show '<SSID>':

Have substituted by username for <username> and the SSID for <SSID>

connection.id:                          <SSID>
connection.uuid:                        61203079-f030-4eef-bb8d-823b8031d50d
connection.stable-id:                   --
connection.interface-name:              --
connection.type:                        802-11-wireless
connection.autoconnect:                 yes
connection.autoconnect-priority:        0
connection.autoconnect-retries:         -1 (default)
connection.timestamp:                   0
connection.read-only:                   no
connection.permissions:                 user:<username>
connection.zone:                        work
connection.master:                      --
connection.slave-type:                  --
connection.autoconnect-slaves:          -1 (default)
connection.secondaries:                 --
connection.gateway-ping-timeout:        0
connection.metered:                     unknown
connection.lldp:                        -1 (default)
802-1x.eap:                             peap
802-1x.identity:                        <username>
802-1x.anonymous-identity:              --
802-1x.pac-file:                        --
802-1x.ca-cert:                         --
802-1x.ca-cert-password:                <hidden>
802-1x.ca-cert-password-flags:          0 (none)
802-1x.ca-path:                         --
802-1x.subject-match:                   --
802-1x.altsubject-matches:              --
802-1x.domain-suffix-match:             --
802-1x.client-cert:                     --
802-1x.client-cert-password:            <hidden>
802-1x.client-cert-password-flags:      0 (none)
802-1x.phase1-peapver:                  --
802-1x.phase1-peaplabel:                --
802-1x.phase1-fast-provisioning:        --
802-1x.phase1-auth-flags:               0 (none)
802-1x.phase2-auth:                     gtc
802-1x.phase2-autheap:                  --
802-1x.phase2-ca-cert:                  0 (none)
802-1x.phase2-ca-cert-password:         --
802-1x.phase2-ca-cert-password-flags:   <hidden>
802-1x.phase2-ca-path:                  --
802-1x.phase2-subject-match:            --
802-1x.phase2-altsubject-matches:       --
802-1x.phase2-domain-suffix-match:      --
802-1x.phase2-client-cert:              --
802-1x.phase2-client-cert-password:     <hidden>
802-1x.phase2-client-cert-password-flags:0 (none)
802-1x.password:                        <hidden>
802-1x.password-flags:                  1 (agent-owned)
802-1x.password-raw:                    <hidden>
802-1x.password-raw-flags:              0 (none)
802-1x.private-key:                     --
802-1x.private-key-password:            <hidden>
802-1x.private-key-password-flags:      0 (none)
802-1x.phase2-private-key:              --
802-1x.phase2-private-key-password:     <hidden>
802-1x.phase2-private-key-password-flags:0 (none)
802-1x.pin:                             <hidden>
802-1x.pin-flags:                       0 (none)
802-1x.system-ca-certs:                 no
802-1x.auth-timeout:                    0
802-11-wireless.ssid:                   <SSID>
802-11-wireless.mode:                   infrastructure
802-11-wireless.band:                   --
802-11-wireless.channel:                0
802-11-wireless.bssid:                  --
802-11-wireless.rate:                   0
802-11-wireless.tx-power:               0
802-11-wireless.mac-address:            --
802-11-wireless.cloned-mac-address:     --
802-11-wireless.generate-mac-address-mask:--
802-11-wireless.mac-address-blacklist:  --
802-11-wireless.mac-address-randomization:default
802-11-wireless.mtu:                    auto
802-11-wireless.seen-bssids:            --
802-11-wireless.hidden:                 no
802-11-wireless.powersave:              default (0)
802-11-wireless-security.key-mgmt:      wpa-eap
802-11-wireless-security.wep-tx-keyidx: 0
802-11-wireless-security.auth-alg:      --
802-11-wireless-security.proto:         --
802-11-wireless-security.pairwise:      --
802-11-wireless-security.group:         --
802-11-wireless-security.leap-username: --
802-11-wireless-security.wep-key0:      <hidden>
802-11-wireless-security.wep-key1:      <hidden>
802-11-wireless-security.wep-key2:      <hidden>
802-11-wireless-security.wep-key3:      <hidden>
802-11-wireless-security.wep-key-flags: 0 (none)
802-11-wireless-security.wep-key-type:  0 (unknown)
802-11-wireless-security.psk:           <hidden>
802-11-wireless-security.psk-flags:     0 (none)
802-11-wireless-security.leap-password: <hidden>
802-11-wireless-security.leap-password-flags:0 (none)
ipv4.method:                            auto
ipv4.dns:                               --
ipv4.dns-search:                        --
ipv4.dns-options:                       (default)
ipv4.dns-priority:                      0
ipv4.addresses:                         --
ipv4.gateway:                           --
ipv4.routes:                            --
ipv4.route-metric:                      -1
ipv4.ignore-auto-routes:                no
ipv4.ignore-auto-dns:                   no
ipv4.dhcp-client-id:                    --
ipv4.dhcp-timeout:                      0
ipv4.dhcp-send-hostname:                yes
ipv4.dhcp-hostname:                     --
ipv4.dhcp-fqdn:                         --
ipv4.never-default:                     no
ipv4.may-fail:                          yes
ipv4.dad-timeout:                       -1 (default)
ipv6.method:                            ignore
ipv6.dns:                               --
ipv6.dns-search:                        --
ipv6.dns-options:                       (default)
ipv6.dns-priority:                      0
ipv6.addresses:                         --
ipv6.gateway:                           --
ipv6.routes:                            --
ipv6.route-metric:                      -1
ipv6.ignore-auto-routes:                no
ipv6.ignore-auto-dns:                   no
ipv6.never-default:                     no
ipv6.may-fail:                          yes
ipv6.ip6-privacy:                       -1 (unknown)
ipv6.addr-gen-mode:                     stable-privacy
ipv6.dhcp-send-hostname:                yes
ipv6.dhcp-hostname:                     --
ipv6.token:                             --
proxy.method:                           none
proxy.browser-only:                     no
proxy.pac-url:                          --
proxy.pac-script:                       --
Comment 5 Beniamino Galvani 2017-05-25 07:29:09 UTC 
> wpa_supplicant[1040]: SSL: SSL_connect:error in SSLv3/TLS write client hello

It seems there is a problem during the TLS handshake. Can you try to capture the authentication traffic and analyze with wireshark if there is a TLS alert message containing a reason?
Comment 6 Steven Haigh 2017-05-25 07:37:56 UTC 
I'm wondering - chances are that the CN doesn't match for the cert vs the TLS handshake.

Is there a way to ignore if the cert is valid or not to verify this theory?
Comment 7 Beniamino Galvani 2017-05-25 13:10:50 UTC 
(In reply to Steven Haigh from comment #6)
> I'm wondering - chances are that the CN doesn't match for the cert vs the
> TLS handshake.
>
> Is there a way to ignore if the cert is valid or not to verify this theory?

If the connection doesn't have a 802-1x.ca-cert o 802-1x.ca-path
property and 802-1x.system-ca-certs is set to 'no', no CA file/path is
passed to wpa_supplicant and the server certificate is not verified.

However, I see in comment 1 that a:

 Config: added 'ca_cert' value '/etc/pki/tls/certs/ca-bundle.trust.crt'

is passed to wpa_supplicant, so probably the log is for a connection
different from the one in comment 4. Do you have logs for the connection in
comment 4?

I think it would be a good idea to look at packet exchange to see if
something is wrong there.
Comment 8 Steven Haigh 2017-05-25 13:17:25 UTC 
I've tried a ton of options - so maybe I'm getting confused with which logs do what with which configuration. I'm pretty sure the ones in this bug report are all for the connection as pasted - but I will verify this when I have access to the network again tomorrow.

If the options as listed should *NOT* validate the cert, I will retry and ensure I have this exact configuration to validate there are no errors in my reporting.
Comment 9 Steven Haigh 2017-05-26 01:32:08 UTC 
I have confirmed that the config is as per comment 4.

tshark of trying to connect:

# tshark -i wlp2s0 -n
Running as user "root" and group "root". This could be dangerous.
Capturing on 'wlp2s0'
    1 0.000000000 04:bd:88:ba:e1:21 → 24:77:03:f2:26:70 EAP 60 Request, Identity
    2 0.000162196 24:77:03:f2:26:70 → 04:bd:88:ba:e1:21 EAP 29 Response, Identity
    3 0.001072430 04:bd:88:ba:e1:21 → 24:77:03:f2:26:70 EAP 60 Request, TLS EAP (EAP-TLS)
    4 0.001222891 24:77:03:f2:26:70 → 04:bd:88:ba:e1:21 EAP 24 Response, Legacy Nak (Response Only)
    5 0.001905087 04:bd:88:ba:e1:21 → 24:77:03:f2:26:70 EAP 60 Request, Protected EAP (EAP-PEAP)
    6 0.002133774 24:77:03:f2:26:70 → 04:bd:88:ba:e1:21 SSL 200 Client Hello
    7 0.002929885 04:bd:88:ba:e1:21 → 24:77:03:f2:26:70 TLSv1 60 Alert (Level: Fatal, Description: Handshake Failure)
    8 0.004251771 04:bd:88:ba:e1:21 → 24:77:03:f2:26:70 EAP 60 Failure
    9 0.404905093 00:24:6c:b1:73:40 → 24:77:03:f2:26:70 EAP 60 Request, Identity
   10 0.405097216 24:77:03:f2:26:70 → 00:24:6c:b1:73:40 EAP 29 Response, Identity
   11 0.405982927 00:24:6c:b1:73:40 → 24:77:03:f2:26:70 EAP 60 Request, TLS EAP (EAP-TLS)
   12 0.406093176 24:77:03:f2:26:70 → 00:24:6c:b1:73:40 EAP 24 Response, Legacy Nak (Response Only)
   13 0.407088716 00:24:6c:b1:73:40 → 24:77:03:f2:26:70 EAP 60 Request, Protected EAP (EAP-PEAP)
   14 0.407361451 24:77:03:f2:26:70 → 00:24:6c:b1:73:40 SSL 200 Client Hello
   15 0.408850856 00:24:6c:b1:73:40 → 24:77:03:f2:26:70 TLSv1 60 Alert (Level: Fatal, Description: Handshake Failure)
   16 0.410187038 00:24:6c:b1:73:40 → 24:77:03:f2:26:70 EAP 60 Failure
   17 0.881191604 00:24:6c:b1:73:48 → 24:77:03:f2:26:70 EAP 60 Request, Identity
   18 0.881424634 24:77:03:f2:26:70 → 00:24:6c:b1:73:48 EAP 29 Response, Identity
   19 0.921209881 00:24:6c:b1:73:48 → 24:77:03:f2:26:70 EAP 60 Request, TLS EAP (EAP-TLS)
   20 0.921454611 24:77:03:f2:26:70 → 00:24:6c:b1:73:48 EAP 24 Response, Legacy Nak (Response Only)
   21 0.922217683 00:24:6c:b1:73:48 → 24:77:03:f2:26:70 EAP 60 Request, Protected EAP (EAP-PEAP)
   22 0.922543079 24:77:03:f2:26:70 → 00:24:6c:b1:73:48 SSL 200 Client Hello
   23 0.923455786 00:24:6c:b1:73:48 → 24:77:03:f2:26:70 TLSv1 60 Alert (Level: Fatal, Description: Handshake Failure)
   24 0.924546634 00:24:6c:b1:73:48 → 24:77:03:f2:26:70 EAP 60 Failure
   25 2.965728028 24:77:03:f2:26:70 → 00:24:6c:b1:84:88 EAPOL 18 Start
   26 2.967479400 00:24:6c:b1:84:88 → 24:77:03:f2:26:70 EAP 60 Request, Identity
   27 2.967691495 24:77:03:f2:26:70 → 00:24:6c:b1:84:88 EAP 29 Response, Identity
   28 2.968512437 00:24:6c:b1:84:88 → 24:77:03:f2:26:70 EAP 60 Request, TLS EAP (EAP-TLS)
   29 2.968680670 24:77:03:f2:26:70 → 00:24:6c:b1:84:88 EAP 24 Response, Legacy Nak (Response Only)
   30 2.969380772 00:24:6c:b1:84:88 → 24:77:03:f2:26:70 EAP 60 Request, Protected EAP (EAP-PEAP)
   31 2.969709517 24:77:03:f2:26:70 → 00:24:6c:b1:84:88 SSL 200 Client Hello
   32 2.970623049 00:24:6c:b1:84:88 → 24:77:03:f2:26:70 TLSv1 60 Alert (Level: Fatal, Description: Handshake Failure)
   33 2.971520081 00:24:6c:b1:84:88 → 24:77:03:f2:26:70 EAP 60 Failure
   34 6.191708349 00:24:6c:b1:84:80 → 24:77:03:f2:26:70 EAP 60 Request, Identity
   35 6.191849475 24:77:03:f2:26:70 → 00:24:6c:b1:84:80 EAP 29 Response, Identity
   36 10.934762431 00:24:6c:b1:84:80 → 24:77:03:f2:26:70 EAP 60 Request, Identity
   37 10.934872197 24:77:03:f2:26:70 → 00:24:6c:b1:84:80 EAP 29 Response, Identity
   38 10.936109969 00:24:6c:b1:84:80 → 24:77:03:f2:26:70 EAP 60 Request, TLS EAP (EAP-TLS)
   39 10.936373424 24:77:03:f2:26:70 → 00:24:6c:b1:84:80 EAP 24 Response, Legacy Nak (Response Only)
   40 10.945469734 00:24:6c:b1:84:80 → 24:77:03:f2:26:70 EAP 60 Request, Protected EAP (EAP-PEAP)
   41 10.945706944 24:77:03:f2:26:70 → 00:24:6c:b1:84:80 SSL 200 Client Hello
   42 10.947104899 00:24:6c:b1:84:80 → 24:77:03:f2:26:70 TLSv1 60 Alert (Level: Fatal, Description: Handshake Failure)
   43 10.948123993 00:24:6c:b1:84:80 → 24:77:03:f2:26:70 EAP 60 Failure
   44 14.197223838 04:bd:88:ba:e1:31 → 24:77:03:f2:26:70 EAP 60 Request, Identity
   45 14.197402413 24:77:03:f2:26:70 → 04:bd:88:ba:e1:31 EAP 29 Response, Identity
   46 14.280338583 04:bd:88:ba:e1:31 → 24:77:03:f2:26:70 EAP 60 Request, TLS EAP (EAP-TLS)
   47 14.280626421 24:77:03:f2:26:70 → 04:bd:88:ba:e1:31 EAP 24 Response, Legacy Nak (Response Only)
   48 14.281251908 04:bd:88:ba:e1:31 → 24:77:03:f2:26:70 EAP 60 Request, Protected EAP (EAP-PEAP)
   49 14.281623060 24:77:03:f2:26:70 → 04:bd:88:ba:e1:31 SSL 200 Client Hello
   50 14.282347796 04:bd:88:ba:e1:31 → 24:77:03:f2:26:70 TLSv1 60 Alert (Level: Fatal, Description: Handshake Failure)
   51 14.283603048 04:bd:88:ba:e1:31 → 24:77:03:f2:26:70 EAP 60 Failure
^C51 packets captured
Comment 10 Steven Haigh 2017-05-26 01:38:59 UTC 
Created attachment 1282450 [details]
initial output of tshark -nV -i wlp2s0

Added output with tshark option -nV as attachment.
Comment 11 Beniamino Galvani 2017-05-26 15:21:46 UTC 
Hi,

the handshake failure is probably caused by a mismatch between the
cipher suites supported by client and server. Unfortunately NM does
not allow to specify the TLS cipher suites to negotiate and so
wpa_supplicant always sends the built-in defaults.

Maybe you can try the following (untested) to check whether the
connection succeeds using a broader set of cipher suites:

  nmcli device set wlp2s0 managed no
  cat <<EOF > wpas.conf
  network={
          ssid="ssid"
          scan_ssid=1
          key_mgmt=WPA-EAP
          password="password"
          eap=PEAP
          fragment_size=1266
          phase2="auth=GTC"
          ca_cert="/etc/pki/tls/certs/ca-bundle.trust.crt"
          identity="username"
          openssl_ciphers="ALL"
  }
  EOF
  wpa_supplicant -i wlp2s0 -c wpas.conf

Please try this and capture again a wireshark trace.

In the future, it would be useful to add in NM a property to the
802-1x connection setting to specify the allowed cipher suites. Or,
alternatively, we could always pass the PROFILE=SYSTEM cipher, which
makes OpenSSL use the cipher suites in the current system
policy. Users could then select the cipher suites with the existing
'update-crypto-policies' infrastructure.
Comment 12 Steven Haigh 2017-05-29 01:43:08 UTC 
Tried connecting with the above 'wpas.conf' example. Output follows.

# wpa_supplicant -i wlp2s0 -c wpas.conf
Successfully initialized wpa_supplicant
wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz)
wlp2s0: Trying to associate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz)
wlp2s0: Associated with 04:bd:88:ba:e1:31
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:31 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5745 MHz)
wlp2s0: Trying to associate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5745 MHz)
wlp2s0: Associated with 04:bd:88:bb:05:91
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:91 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz)
wlp2s0: Trying to associate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz)
wlp2s0: Associated with 04:bd:88:ba:e1:21
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:21 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz)
wlp2s0: Trying to associate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz)
wlp2s0: Associated with 04:bd:88:bb:05:82
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:82 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5180 MHz)
wlp2s0: Trying to associate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5180 MHz)
wlp2s0: Associated with 00:24:6c:b1:73:48
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:73:48 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:73:40 (SSID='<SSID>' freq=2462 MHz)
wlp2s0: Trying to associate with 00:24:6c:b1:73:40 (SSID='<SSID>' freq=2462 MHz)
wlp2s0: Associated with 00:24:6c:b1:73:40
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:73:40 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:84:88 (SSID='<SSID>' freq=5300 MHz)
wlp2s0: Trying to associate with 00:24:6c:b1:84:88 (SSID='<SSID>' freq=5300 MHz)
wlp2s0: Associated with 00:24:6c:b1:84:88
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:84:88 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:84:80 (SSID='<SSID>' freq=2412 MHz)
wlp2s0: Trying to associate with 00:24:6c:b1:84:80 (SSID='<SSID>' freq=2412 MHz)
wlp2s0: Associated with 00:24:6c:b1:84:80
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:84:80 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz)
wlp2s0: Trying to associate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz)
wlp2s0: Associated with 04:bd:88:ba:e1:31
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:31 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5745 MHz)
wlp2s0: Trying to associate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5745 MHz)
wlp2s0: Associated with 04:bd:88:bb:05:91
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:91 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz)
wlp2s0: Trying to associate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz)
wlp2s0: Associated with 04:bd:88:ba:e1:21
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:21 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz)
wlp2s0: Trying to associate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz)
wlp2s0: Associated with 04:bd:88:bb:05:82
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:82 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5180 MHz)
wlp2s0: Trying to associate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5180 MHz)
wlp2s0: Associated with 00:24:6c:b1:73:48
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
^Cwlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:73:48 reason=3 locally_generated=1
nl80211: deinit ifname=wlp2s0 disabled_11b_rates=0
wlp2s0: CTRL-EVENT-TERMINATING
Comment 13 Steven Haigh 2017-05-29 01:49:57 UTC 
Created attachment 1283146 [details]
Output of running wpa_supplicant with suggested wpas.conf
Comment 14 Beniamino Galvani 2017-06-06 08:37:12 UTC 
Now wpa_supplicant is negotiating more cipher suites:

  Cipher Suites (66 suites)

vs the old:

  Cipher Suites (28 suites)

but this doesn't help. Maybe the server is buggy and doesn't negotiate
properly the TLS version. Can you try to add this:

 phase1="tls_disable_tlsv1_2"

or

 phase1="tls_disable_tlsv1_1 tls_disable_tlsv1_2"

to the configuration above and retry? Otherwise, I've run out of ideas.


@dcbw, do you have any suggestions?
Comment 15 Steven Haigh 2017-06-06 08:59:49 UTC 
I have tried both of the phase1= lines. Still no joy.

The interesting part is that this did work with F25. That possibly narrows down to a change between the current state of F26 and the shipping F25 version.

# wpa_supplicant -i wlp2s0 -c wpas.conf 
Successfully initialized wpa_supplicant
wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz)
wlp2s0: Trying to associate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5260 MHz)
wlp2s0: Associated with 04:bd:88:ba:e1:31
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:31 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5320 MHz)
wlp2s0: Trying to associate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5320 MHz)
wlp2s0: Associated with 04:bd:88:bb:05:91
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:91 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz)
wlp2s0: Trying to associate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz)
wlp2s0: Associated with 04:bd:88:bb:05:82
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:82 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz)
wlp2s0: Trying to associate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz)
wlp2s0: Associated with 04:bd:88:ba:e1:21
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:21 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:73:40 (SSID='<SSID>' freq=2462 MHz)
wlp2s0: Trying to associate with 00:24:6c:b1:73:40 (SSID='<SSID>' freq=2462 MHz)
wlp2s0: Associated with 00:24:6c:b1:73:40
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:73:40 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5785 MHz)
wlp2s0: Trying to associate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5785 MHz)
wlp2s0: Associated with 00:24:6c:b1:73:48
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
^Cwlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:73:48 reason=3 locally_generated=1
nl80211: deinit ifname=wlp2s0 disabled_11b_rates=0
wlp2s0: CTRL-EVENT-TERMINATING
Comment 16 Dan Williams 2017-06-06 16:21:16 UTC 
Can you attach the tshark output when using the tls_disable lines?  Let's make sure it's really disabling TLSv1.1 and TLSv1.2...
Comment 17 Dan Williams 2017-06-06 16:24:22 UTC 
Also, isn't it:

 phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1"

?
Comment 18 Beniamino Galvani 2017-06-06 16:31:21 UTC 
(In reply to Dan Williams from comment #17)
> Also, isn't it:
> 
>  phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1"

Yes, my bad. Steven, please use this line instead of the one I suggested.
Comment 19 Steven Haigh 2017-06-06 23:51:03 UTC 
Will try and get back to you. Won't be in range of this network for ~26 hours.
Comment 20 Steven Haigh 2017-06-08 02:35:40 UTC 
Current config:
# cat wpas.conf
network={
        ssid="<SSID>"
        scan_ssid=1
        key_mgmt=WPA-EAP
        password="<password>"
        eap=PEAP
        fragment_size=1266
        phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1"
        phase2="auth=GTC"
        ca_cert="/etc/pki/tls/certs/ca-bundle.trust.crt"
        identity="<username>"
        openssl_ciphers="ALL"
}

Output:
# wpa_supplicant -i wlp2s0 -c wpas.conf 
Successfully initialized wpa_supplicant
wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5220 MHz)
wlp2s0: Trying to associate with 04:bd:88:ba:e1:31 (SSID='<SSID>' freq=5220 MHz)
wlp2s0: Associated with 04:bd:88:ba:e1:31
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:31 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5260 MHz)
wlp2s0: Trying to associate with 04:bd:88:bb:05:91 (SSID='<SSID>' freq=5260 MHz)
wlp2s0: Associated with 04:bd:88:bb:05:91
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:91 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz)
wlp2s0: Trying to associate with 04:bd:88:bb:05:82 (SSID='<SSID>' freq=2437 MHz)
wlp2s0: Associated with 04:bd:88:bb:05:82
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:bb:05:82 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz)
wlp2s0: Trying to associate with 04:bd:88:ba:e1:21 (SSID='<SSID>' freq=2412 MHz)
wlp2s0: Associated with 04:bd:88:ba:e1:21
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=04:bd:88:ba:e1:21 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:73:40 (SSID='<SSID>' freq=2462 MHz)
wlp2s0: Trying to associate with 00:24:6c:b1:73:40 (SSID='<SSID>' freq=2462 MHz)
wlp2s0: Associated with 00:24:6c:b1:73:40
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
wlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:73:40 reason=3
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=AU
wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5785 MHz)
wlp2s0: Trying to associate with 00:24:6c:b1:73:48 (SSID='<SSID>' freq=5785 MHz)
wlp2s0: SME: Trying to authenticate with 00:24:6c:b1:84:80 (SSID='<SSID>' freq=2412 MHz)
wlp2s0: Trying to associate with 00:24:6c:b1:84:80 (SSID='<SSID>' freq=2412 MHz)
wlp2s0: Associated with 00:24:6c:b1:84:80
wlp2s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlp2s0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=AU
wlp2s0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
wlp2s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
wlp2s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
^Cwlp2s0: CTRL-EVENT-DISCONNECTED bssid=00:24:6c:b1:84:80 reason=3 locally_generated=1
nl80211: deinit ifname=wlp2s0 disabled_11b_rates=0
wlp2s0: CTRL-EVENT-TERMINATING

Packet trace to follow as an attachment.
Comment 21 Steven Haigh 2017-06-08 02:40:23 UTC 
Created attachment 1285957 [details]
tshark output with config as per comment 20
Comment 22 Beniamino Galvani 2017-06-10 09:13:24 UTC 
(In reply to Steven Haigh from comment #21)
> Created attachment 1285957 [details]
> tshark output with config as per comment 20

Thanks, this confirms that TLS 1.0 is negotiated.

I suppose you can't capture the tshark output with a F25 machine, right?
Comment 23 Steven Haigh 2017-06-10 09:15:28 UTC 
I might be able to find a KDE F25 live boot image and try it?

The down side is that it won't have any updates from the date of the live image...

Also, its a long weekend in my area this weekend, so I won't be back in the office to test this until Tuesday (UTC+10).
Comment 24 Steven Haigh 2017-06-13 01:27:18 UTC 
Created attachment 1287136 [details]
Packet trace of successful connection with F25 live boot

Added packet trace after booting with an F25 live image.

Installed wireshark, then used tshark to capture the wire messages.

Authentication was successful on the first attempt via the F25 live image.
Comment 25 Beniamino Galvani 2017-06-13 07:21:51 UTC 
Thanks for trying this.

With F25, which uses openssl 1.0.2k, we offer cipher
TLS_RSA_WITH_3DES_EDE_CBC_SHA.

F26 instead has openssl 1.1.0e, which disabled 3DES for security
reasons [1]. AFAICS, the only way to enable it again is recompiling
the package.

Probably it would be even better if the network administrator could
upgrade the authenticator to better algorithms. I'm reassigning this
bug to openssl so that somebody with knowledge of the matter can
comment on this.

[1] https://www.openssl.org/blog/blog/2016/08/24/sweet32/
Comment 26 Steven Haigh 2017-06-13 08:00:35 UTC 
I was fearing that this might be the case - but the problem is, this becomes a 'Replace the managed controller and all access points' type solution.

When the AP's are $800AUD a pop and a new controller in the $1000AUD range, I'm not sure that's a really feasible answer :\
Comment 27 Tomas Mraz 2017-06-13 09:07:50 UTC 
Perhaps we can re-enable some of the weak ciphers (but still keep them off-by-default). We need to think about it more though - keeping the weak ciphers compiled in creates the risk of inadvertently enabling them by some admin.
Comment 28 Steven Haigh 2017-06-13 10:32:11 UTC 
This is understandable - but the question would be how to enable the cipher in a way that NetworkManager would be able to pass it down the line.

The other side of the coin is that this is still a supported configuration for Windows, OSX, iOS, and Android - so I wonder if the 'disable completely' may be a little heavy handed.

As an example, we still have some WinCE handheld devices that are brand new from the factory that can't support TLS1.1 or higher as well. These are still widespread in the industry.

If its present, but can be enabled on a cipher by cipher basis for openssl system-wide in a config file, then I believe that would certainly be an acceptable compromise between the two positions.
Comment 29 Tomas Mraz 2017-06-13 10:56:00 UTC 
(In reply to Steven Haigh from comment #28)
> This is understandable - but the question would be how to enable the cipher in > a way that NetworkManager would be able to pass it down the line.

Well if they are built-in the 'ALL' ciphersuite string would enable them. They will not be enabled just in the 'DEFAULT' ciphersuite string.

> As an example, we still have some WinCE handheld devices that are brand new
> from the factory that can't support TLS1.1 or higher as well. These are
> still widespread in the industry.

But they still support the AES ciphersuites don't they?
Comment 30 Steven Haigh 2017-06-13 11:06:25 UTC 
I'd have to dig out some documentation to be certain - but I believe we needed to enable TLS_RSA_WITH_3DES_EDE_CBC_SHA for it to work through our load balancer.

It may have even been DES-CBC3-SHA....

That being said, these don't have to connect to this AP cluster - so it doesn't really relate directly - however hardware that still only supports these things are still being sold in vast quantities in the industrial market..
Comment 31 Beniamino Galvani 2017-06-13 14:42:08 UTC 
(In reply to Tomas Mraz from comment #29)
> (In reply to Steven Haigh from comment #28)
> > This is understandable - but the question would be how to enable the cipher in > a way that NetworkManager would be able to pass it down the line.
>
> Well if they are built-in the 'ALL' ciphersuite string would enable them.
> They will not be enabled just in the 'DEFAULT' ciphersuite string.

At the moment NetworkManager can't pass a custom 'openssl_ciphers'
option to wpa_supplicant, and thus only ciphers matching
"DEFAULT:!EXP:!LOW" are used.

I think it would be a good idea to add a new connection property in NM
to let users specify a custom cipher string. But, that property would
work only when wpa_supplicant is built against OpenSSL, and not with
GnuTLS.

Or maybe NM should use by default the PROFILE=SYSTEM cipher, which can
be configured systemd-wide using 'update-crypto-policies'.
Comment 32 Tomas Mraz 2017-06-13 15:05:47 UTC 
(In reply to Beniamino Galvani from comment #31)
 
> Or maybe NM should use by default the PROFILE=SYSTEM cipher, which can
> be configured systemd-wide using 'update-crypto-policies'.

This would be preferrable. Actually if NM does not pass any explicit ciphersuite string to OpenSSL (or GnuTLS), the PROFILE=SYSTEM will be used.
Comment 33 Fedora Update System 2017-06-15 15:19:05 UTC 
openssl-1.1.0f-3.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-86656b5c3b
Comment 34 Steven Haigh 2017-06-15 15:34:32 UTC 
Thanks for the updated package. I'll test this as soon as I come across the built version.

Does it require any specific configuration to enable the reenabled 3DES TLS ciphersuites?
Comment 35 Steven Haigh 2017-06-16 06:58:57 UTC 
For what its worth, I tried connecting again today with:

$ rpm -qa | grep openssl | sort
compat-openssl10-1.0.2j-6.fc26.x86_64
compat-openssl10-pkcs11-helper-1.22-1.fc26.x86_64
openssl-1.1.0f-3.fc26.x86_64
openssl-libs-1.1.0f-3.fc26.x86_64
xmlsec1-openssl-1.2.23-2.fc26.x86_64

The connection still failed in the same manor as the previous attempts.
Comment 36 Tomas Mraz 2017-06-16 07:05:22 UTC 
If wpa_supplicant by default uses 'DEFAULT:!EXP:!LOW', it still will not work. Please open a new bug against wpa_supplicant and link it to this bug.
I'd suggest that the wpa_supplicant should not set any ciphersuite string by default or use PROFILE=SYSTEM ciphersuite string (these are equivalent).
Comment 37 Fedora Update System 2017-06-16 22:24:31 UTC 
openssl-1.1.0f-3.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-86656b5c3b
Comment 38 Fedora Update System 2017-06-17 19:43:29 UTC 
openssl-1.1.0f-3.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.