Bug 1465138

Summary: EAP-TLS broken with wpa_supplicant 2.6/openssl1.1 in fedora 26
Product: [Fedora] Fedora Reporter: Michal Ambroz <rebus>
Component: wpa_supplicantAssignee: Beniamino Galvani <bgalvani>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: atigro, bbennett, bgalvani, blueowl, david.bell, dcbw, kaspar.tint, lkundrak, michel, reavertm, thecubic
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: wpa_supplicant-2.6-8.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-20 15:54:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Ambroz 2017-06-26 18:23:25 UTC 
Description of problem:
In Fedora26 EAP-TLS seems to be broken with the current version of the wpa_supplicant (wpa_supplicant-2.6-7.fc26.x86_64) and openssl (openssl-libs-1.1.0f-3.fc26.x86_64)

Version-Release number of selected component (if applicable):
wpa_supplicant-2.6-7.fc26.x86_64
openssl-libs-1.1.0f-3.fc26.x86_64


How reproducible:
100%

Steps to Reproduce:
1. have a network which requires EAP-TLS (in my case it was LAN)
2. configure the certificates
3. try to connect to the network

Actual results:
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7303] device (enp0s25): Activation: starting connection 'enp0s25' (ea23754a-e091-37ee-8167-3ee3b7a06a1b)
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7311] audit: op="connection-activate" uuid="ea23754a-e091-37ee-8167-3ee3b7a06a1b" name="enp0s25" pid=1683 uid=1000 result="success"
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7312] device (enp0s25): state change: disconnected -> prepare (reason 'none') [30 40 0]
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7314] manager: NetworkManager state is now CONNECTING
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7317] device (enp0s25): state change: prepare -> config (reason 'none') [40 50 0]
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7325] device (enp0s25): Activation: (ethernet) connection 'enp0s25' has security, but secrets are required.
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7325] device (enp0s25): state change: config -> need-auth (reason 'none') [50 60 0]
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7713] device (enp0s25): state change: need-auth -> prepare (reason 'none') [60 40 0]
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7721] device (enp0s25): state change: prepare -> config (reason 'none') [40 50 0]
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7731] device (enp0s25): Activation: (ethernet) connection 'enp0s25' requires no security. No secrets needed.
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7986] device (enp0s25): supplicant interface state: starting -> ready
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7986] Config: added 'key_mgmt' value 'IEEE8021X'
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7986] Config: added 'eapol_flags' value '0'
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7987] Config: added 'eap' value 'TLS'
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7987] Config: added 'fragment_size' value '1266'
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7987] Config: added 'ca_cert' value '/home/username/.cert/username_20190227_ca.pem'
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7987] Config: added 'private_key' value '/home/username/.cert/username_20190227_key.pem'
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7987] Config: added 'private_key_passwd' value '<hidden>'
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7988] Config: added 'client_cert' value '/home/username/.cert/username_20190227_cl.pem'
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.7988] Config: added 'identity' value 'John Doe'
Jun 26 18:57:56 notebook.domain.xy wpa_supplicant[1286]: enp0s25: Associated with 01:80:c2:00:00:03
Jun 26 18:57:56 notebook.domain.xy wpa_supplicant[1286]: WMM AC: Missing IEs
Jun 26 18:57:56 notebook.domain.xy wpa_supplicant[1286]: enp0s25: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jun 26 18:57:56 notebook.domain.xy NetworkManager[1070]: <info>  [1498496276.8079] device (enp0s25): supplicant interface state: ready -> associated
Jun 26 18:57:58 notebook.domain.xy wpa_supplicant[1286]: enp0s25: CTRL-EVENT-EAP-STARTED EAP authentication started
Jun 26 18:57:58 notebook.domain.xy wpa_supplicant[1286]: enp0s25: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=43 -> NAK
Jun 26 18:57:58 notebook.domain.xy wpa_supplicant[1286]: enp0s25: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
Jun 26 18:57:58 notebook.domain.xy wpa_supplicant[1286]: Enter PEM pass phrase:
Jun 26 18:57:58 notebook.domain.xy wpa_supplicant[1286]: OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
Jun 26 18:57:58 notebook.domain.xy wpa_supplicant[1286]: OpenSSL: pending error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
Jun 26 18:57:58 notebook.domain.xy wpa_supplicant[1286]: OpenSSL: tls_connection_private_key - Failed to load private key error:00000000:lib(0):func(0):reason(0)
Jun 26 18:57:58 notebook.domain.xy wpa_supplicant[1286]: TLS: Failed to load private key '/home/username/.cert/username_20190227_key.pem'
Jun 26 18:57:58 notebook.domain.xy wpa_supplicant[1286]: TLS: Failed to set TLS connection parameters
Jun 26 18:57:58 notebook.domain.xy wpa_supplicant[1286]: EAP-TLS: Failed to initialize SSL.
Jun 26 18:57:58 notebook.domain.xy wpa_supplicant[1286]: enp0s25: EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
Jun 26 18:57:58 notebook.domain.xy wpa_supplicant[1286]: enp0s25: CTRL-EVENT-EAP-FAILURE EAP authentication failed


Expected results:
This is the successfull login with the same configuration/environment and the cryptomaterial
====== Fedora 25  wpa_supplicant-2.6-1.fc25.x86_64 compiled against openssl-libs-1.0.2k-1.fc25.x86_64
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.6845] device (enp0s25): Activation: starting connection 'INAC2019' (53cd0b31-cf7f-43fa-b2db-ff14548cdb65)
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.6851] audit: op="connection-activate" uuid="53cd0b31-cf7f-43fa-b2db-ff14548cdb65" name="INAC2019" pid=12111 uid=1000 result="success"
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.6852] device (enp0s25): state change: disconnected -> prepare (reason 'none') [30 40 0]
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.6853] manager: NetworkManager state is now CONNECTING
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.6862] device (enp0s25): state change: prepare -> config (reason 'none') [40 50 0]
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.6872] device (enp0s25): Activation: (ethernet) connection 'INAC2019' has security, but secrets are required.
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.6873] device (enp0s25): state change: config -> need-auth (reason 'none') [50 60 0]
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.7754] device (enp0s25): state change: need-auth -> prepare (reason 'none') [60 40 0]
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.7785] device (enp0s25): state change: prepare -> config (reason 'none') [40 50 0]
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.7798] device (enp0s25): Activation: (ethernet) connection 'INAC2019' requires no security. No secrets needed.
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.8312] device (enp0s25): supplicant interface state: starting -> ready
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.8312] Config: added 'key_mgmt' value 'IEEE8021X'
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.8312] Config: added 'eapol_flags' value '0'
Jun 26 20:08:37 notebook.domain.xy wpa_supplicant[1707]: enp0s25: Associated with 01:80:c2:00:00:03
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.8312] Config: added 'eap' value 'TLS'
Jun 26 20:08:37 notebook.domain.xy wpa_supplicant[1707]: WMM AC: Missing IEs
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.8312] Config: added 'fragment_size' value '1266'
Jun 26 20:08:37 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.8313] Config: added 'ca_cert' value '/home/username/.cert/username_20190227_ca.pem'
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.8313] Config: added 'private_key' value '/home/username/.cert/username_20190227_key.pem'
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.8313] Config: added 'private_key_passwd' value '<omitted>'
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.8313] Config: added 'client_cert' value '/home/username/.cert/username_20190227_cl.pem'
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.8314] Config: added 'identity' value 'John Doe'
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.8320] sup-iface[0x561a29b53360,enp0s25]: config: set interface ap_scan to 0
Jun 26 20:08:37 notebook.domain.xy NetworkManager[1580]: <info>  [1498500517.8397] device (enp0s25): supplicant interface state: ready -> associated
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-STARTED EAP authentication started
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=43 -> NAK
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PEER-CERT depth=3 subject='/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign' hash=cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=BE/OU=Trusted Root/O=GlobalSign nv-sa/CN=Trusted Root CA SHA256 G2' hash=01fd73ef5e70f526fc9c11f65fe2ee6f7125b3693949227ffd8e459e583c458a
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='redacted '
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='redacted '
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:redacted
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:redacted
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:redacted
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:redacted
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:redacted
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:redacted
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:redacted
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:redacted
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:redacted
Jun 26 20:08:39 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:redacted
Jun 26 20:08:40 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
Jun 26 20:08:40 notebook.domain.xy wpa_supplicant[1707]: enp0s25: CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed [id=0 id_str=]
Jun 26 20:08:40 notebook.domain.xy NetworkManager[1580]: <info>  [1498500520.1288] device (enp0s25): supplicant interface state: associated -> completed
Jun 26 20:08:40 notebook.domain.xy NetworkManager[1580]: <info>  [1498500520.1289] device (enp0s25): Activation: (ethernet) Stage 2 of 5 (Device Configure) successful.


Additional info:
This is most probably related - same issue on WiFi on the Arch Linux: https://bugs.archlinux.org/task/54233

Configuration used in this:
Settings / Network / Wired / Add Profile / INAC2019
Security:
    802/1x Security: ON
    Authentication: TLS
    Identity: John Doe
    User certificate:
    CA certificate:
    [ ] No CA certificate is required (unchecked)
    Private key:
    Private key password: valid 
    (Password used is valid - checked with "openssl rsa -in /home/username/.cert/username_20190227_key.pem")
Comment 1 Michal Ambroz 2017-06-26 19:59:01 UTC 
Getting similar error for the WiFi authenticated with user certificate (EAP-TLS).
I guess it is the same issue.
Comment 2 Michal Ambroz 2017-06-26 21:21:17 UTC 
I can confirm that the patch https://bugs.archlinux.org/task/54233?getfile=15295 from the Archlinux https://bugs.archlinux.org/task/54233 works for the EAP-TLS over the wired network cable.

For some reason the patch doesn't help with the WiFi network requesting EAP-TLS.
Comment 3 Michal Ambroz 2017-06-26 21:58:14 UTC 
Relevant bug in the openssl - https://github.com/openssl/openssl/issues/3594
Comment 4 Beniamino Galvani 2017-06-27 08:43:44 UTC 
(In reply to Michal Ambroz from comment #2)
> For some reason the patch doesn't help with the WiFi network requesting
> EAP-TLS.

Hi, can you please attach logs for the failing wifi connection attempt? Thanks!
Comment 5 Beniamino Galvani 2017-06-27 12:47:06 UTC 
Posted patch upstream:

http://lists.infradead.org/pipermail/hostap/2017-June/037739.html
Comment 6 Michal Ambroz 2017-07-03 14:42:34 UTC 
(In reply to Beniamino Galvani from comment #4)
> (In reply to Michal Ambroz from comment #2)
> > For some reason the patch doesn't help with the WiFi network requesting
> > EAP-TLS.
> 
> Hi, can you please attach logs for the failing wifi connection attempt?
> Thanks!

Hello Beniamino,
the log for the Wifi + EAP-TLS failing looks the same as for LAN EAP-TLS - it claims it is not possible to load the private key (although, when patched, the same private key is used for the LAN EAP-TLS access and that works).
I have not checked the wpa_supplicant code yet, but I would guess the same patch  might be required on more places.

Michal Ambroz


====== here goes the log ==================================================

Jul 03 15:36:49 notebook.domain.xy NetworkManager[1456]: <info>  [1499089009.6547] device (atheros0): Activation: (wifi) connection 'TEST_WIFI' has security, and secrets exist.  No new secrets needed.
Jul 03 15:36:49 notebook.domain.xy NetworkManager[1456]: <info>  [1499089009.6547] Config: added 'ssid' value 'TEST_WIFI'
Jul 03 15:36:49 notebook.domain.xy NetworkManager[1456]: <info>  [1499089009.6547] Config: added 'scan_ssid' value '1'
Jul 03 15:36:49 notebook.domain.xy NetworkManager[1456]: <info>  [1499089009.6547] Config: added 'key_mgmt' value 'WPA-EAP'
Jul 03 15:36:49 notebook.domain.xy NetworkManager[1456]: <info>  [1499089009.6547] Config: added 'eap' value 'TLS'
Jul 03 15:36:49 notebook.domain.xy NetworkManager[1456]: <info>  [1499089009.6548] Config: added 'fragment_size' value '1266'
Jul 03 15:36:49 notebook.domain.xy NetworkManager[1456]: <info>  [1499089009.6548] Config: added 'ca_cert' value '/home/username/.cert/username_20190227_cl.pem'
Jul 03 15:36:49 notebook.domain.xy NetworkManager[1456]: <info>  [1499089009.6548] Config: added 'private_key' value '/home/username/.cert/username_20190227_key.pem'
Jul 03 15:36:49 notebook.domain.xy NetworkManager[1456]: <info>  [1499089009.6548] Config: added 'private_key_passwd' value '<hidden>'
Jul 03 15:36:49 notebook.domain.xy NetworkManager[1456]: <info>  [1499089009.6548] Config: added 'client_cert' value '/home/username/.cert/username_20190227_ca.pem'
Jul 03 15:36:49 notebook.domain.xy NetworkManager[1456]: <info>  [1499089009.6549] Config: added 'identity' value 'John Doe'
Jul 03 15:36:49 notebook.domain.xy NetworkManager[1456]: <info>  [1499089009.6549] Config: added 'bgscan' value 'simple:30:-65:300'
Jul 03 15:36:49 notebook.domain.xy NetworkManager[1456]: <info>  [1499089009.6549] Config: added 'proactive_key_caching' value '1'
Jul 03 15:36:49 notebook.domain.xy NetworkManager[1456]: <info>  [1499089009.7577] device (atheros0): supplicant interface state: inactive -> scanning
Jul 03 15:36:50 notebook.domain.xy wpa_supplicant[26270]: atheros0: SME: Trying to authenticate with 11:22:33:44:55:66 (SSID='TEST_WIFI' freq=2462 MHz)
Jul 03 15:36:51 notebook.domain.xy kernel: atheros0: authenticate with 11:22:33:44:55:66
Jul 03 15:36:51 notebook.domain.xy kernel: atheros0: send auth to 11:22:33:44:55:66 (try 1/3)
Jul 03 15:36:51 notebook.domain.xy kernel: atheros0: authenticated
Jul 03 15:36:51 notebook.domain.xy wpa_supplicant[26270]: atheros0: Trying to associate with 11:22:33:44:55:66 (SSID='TEST_WIFI' freq=2462 MHz)
Jul 03 15:36:51 notebook.domain.xy NetworkManager[1456]: <info>  [1499089011.2341] device (atheros0): supplicant interface state: scanning -> authenticating
Jul 03 15:36:51 notebook.domain.xy kernel: atheros0: associate with 11:22:33:44:55:66 (try 1/3)
Jul 03 15:36:51 notebook.domain.xy kernel: atheros0: RX AssocResp from 11:22:33:44:55:66 (capab=0x431 status=0 aid=2)
Jul 03 15:36:51 notebook.domain.xy kernel: atheros0: associated
Jul 03 15:36:51 notebook.domain.xy NetworkManager[1456]: <info>  [1499089011.2520] device (atheros0): supplicant interface state: authenticating -> associating
Jul 03 15:36:51 notebook.domain.xy wpa_supplicant[26270]: atheros0: Associated with 11:22:33:44:55:66
Jul 03 15:36:51 notebook.domain.xy wpa_supplicant[26270]: atheros0: CTRL-EVENT-EAP-STARTED EAP authentication started
Jul 03 15:36:51 notebook.domain.xy wpa_supplicant[26270]: atheros0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jul 03 15:36:51 notebook.domain.xy wpa_supplicant[26270]: atheros0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=43 -> NAK
Jul 03 15:36:51 notebook.domain.xy wpa_supplicant[26270]: atheros0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
Jul 03 15:36:51 notebook.domain.xy NetworkManager[1456]: <info>  [1499089011.2844] device (atheros0): supplicant interface state: associating -> associated
Jul 03 15:36:51 notebook.domain.xy wpa_supplicant[26270]: OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
Jul 03 15:36:51 notebook.domain.xy wpa_supplicant[26270]: OpenSSL: pending error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
Jul 03 15:36:51 notebook.domain.xy wpa_supplicant[26270]: OpenSSL: tls_connection_private_key - Failed to load private key error:00000000:lib(0):func(0):reason(0)
Jul 03 15:36:51 notebook.domain.xy wpa_supplicant[26270]: TLS: Failed to load private key '/home/username/.cert/username_20190227_key.pem'
Jul 03 15:36:51 notebook.domain.xy wpa_supplicant[26270]: TLS: Failed to set TLS connection parameters
Jul 03 15:36:51 notebook.domain.xy wpa_supplicant[26270]: EAP-TLS: Failed to initialize SSL.
Jul 03 15:36:51 notebook.domain.xy wpa_supplicant[26270]: atheros0: EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
Jul 03 15:36:51 notebook.domain.xy wpa_supplicant[26270]: atheros0: CTRL-EVENT-REGDOM-CHANGE init=COUNTRY_IE type=COUNTRY alpha2=CZ
Jul 03 15:36:51 notebook.domain.xy wpa_supplicant[26270]: atheros0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Jul 03 15:36:51 notebook.domain.xy kernel: atheros0: Limiting TX power to 4 dBm as advertised by 11:22:33:44:55:66
Jul 03 15:36:53 notebook.domain.xy wpa_supplicant[26270]: atheros0: Authentication with 11:22:33:44:55:66 timed out.
Comment 7 David Carlson 2017-07-12 16:58:40 UTC 
Can this be hotfixed please?  It breaks 802.1x on wired connections as well so upgrading kicks systems off of secured networks.  I've applied the upstream patch to the RPM and confirmed that it restores wireless connections.  Thanks!
Comment 8 Beniamino Galvani 2017-07-13 20:33:31 UTC 
(In reply to David Carlson from comment #7)
> Can this be hotfixed please?  It breaks 802.1x on wired connections as well
> so upgrading kicks systems off of secured networks.  I've applied the
> upstream patch to the RPM and confirmed that it restores wireless
> connections.  Thanks!

Does the patch fix the problem with wired 802.1x connections for you?
Comment 9 David Carlson 2017-07-13 20:36:27 UTC 
(In reply to Beniamino Galvani from comment #8)
> Does the patch fix the problem with wired 802.1x connections for you?

Yes - confirmed it fixes wired 802.1x on two different systems this morning.

-Dave
Comment 10 Arkady L. Shane 2017-07-14 07:43:39 UTC 
I can also confirm that archlinux patch fixes this issue.
Comment 11 Brandon Bennett 2017-07-17 18:00:18 UTC 
Looks like this was applied upstream:

http://lists.infradead.org/pipermail/hostap/2017-July/037796.html
https://w1.fi/cgit/hostap/commit/?id=f665c93e1d28fbab3d9127a8c3985cc32940824f
Comment 12 Fedora Update System 2017-07-17 19:10:48 UTC 
wpa_supplicant-2.6-8.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c3438ec82a
Comment 13 Beniamino Galvani 2017-07-17 19:13:27 UTC 
*** Bug 1471728 has been marked as a duplicate of this bug. ***
Comment 14 Fedora Update System 2017-07-20 00:25:17 UTC 
wpa_supplicant-2.6-8.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c3438ec82a
Comment 15 Fedora Update System 2017-07-20 15:54:03 UTC 
wpa_supplicant-2.6-8.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.