Bug 1974884

Summary: [NMCI] 8021x secrets are required but not yet saved
Product: Red Hat Enterprise Linux 9 Reporter: Vladimir Benes <vbenes>
Component: NetworkManagerAssignee: NetworkManager Development Team <nm-team>
Status: CLOSED DUPLICATE QA Contact: Desktop QE <desktop-qa-list>
Severity: high Docs Contact:
Priority: high    
Version: 9.0CC: atragler, bgalvani, lrintel, rkhan, sukulkar, thaller, till
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-24 09:41:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 4 Thomas Haller 2021-06-23 21:26:51 UTC 
(In reply to Thomas Haller from comment #2)
> Created attachment 1793633 [details]
> log-good (rhel8)

(In reply to Thomas Haller from comment #3)
> Created attachment 1793635 [details]
> log-bad (rhel9)

the logs are for test `./test_run.sh 8021x_peap_mschapv2_doc_procedure`

log-good is from https://desktopqe-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/beaker-NetworkManager-main-veth-rhel8-upstream/217/artifact/artifacts/



Note that up until the line with "MSCHAPV2: Identity - hexdump(len=21): 54 45 53 54 45 52 53 5c 74 65 73 74 5f 6d 73 63 68 61 70 76 32", both runs seem mostly identical.

Then, on RHEL-9 there is:

Jun 23 15:17:01 gsm-r5s6-01.wlan.rhts.eng.bos.redhat.com wpa_supplicant[22685]: OpenSSL: EVP_DigestInit_ex failed: error:0308010C:digital envelope routines::unsupported
Jun 23 15:17:01 gsm-r5s6-01.wlan.rhts.eng.bos.redhat.com wpa_supplicant[22685]: EAP-MSCHAPV2: Failed to derive response
Jun 23 15:17:01 gsm-r5s6-01.wlan.rhts.eng.bos.redhat.com wpa_supplicant[22685]: EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=(nil)



On the rhel-9 machine:

# update-crypto-policies --show
LEGACY

# sysctl crypto.fips_enabled
crypto.fips_enabled = 0




The reason for this problem is still unknown to me...
Comment 5 Thomas Haller 2021-06-23 21:35:54 UTC 
actually, the first difference is earlier, at:


good:
  n-veth-rhel8-upstream-217 wpa_supplicant[338475]: TLS: using phase1 config options
  n-veth-rhel8-upstream-217 wpa_supplicant[338475]: TLS: Trusted root certificate(s) loaded

bad:
  an.rhts.eng.bos.redhat.com wpa_supplicant[22685]: TLS: using phase1 config options
  an.rhts.eng.bos.redhat.com wpa_supplicant[22685]: tls_connection_set_params: Clearing pending SSL error: error:03000086:digital envelope routines::initialization error
  an.rhts.eng.bos.redhat.com wpa_supplicant[22685]: TLS: Trusted root certificate(s) loaded


and then

good:
  n-veth-rhel8-upstream-217 wpa_supplicant[338475]: OpenSSL: TX ver=0x0 content_type=256 (TLS header info/)
bad:
  an.rhts.eng.bos.redhat.com wpa_supplicant[22685]: OpenSSL: TX ver=0x301 content_type=256 (TLS header info/)
Comment 6 Beniamino Galvani 2021-06-24 04:56:03 UTC 
From what I understand MSCHAPv2 uses SHA1. According to this:

  https://bugzilla.redhat.com/show_bug.cgi?id=1959016

SHA1 is disabled in LEGACY policy. There should be a "SHA1" policy modifier to re-enable it:

  update-crypto-policies --set DEFAULT:SHA1

I'm going to try when the beaker machine becomes ready.
Comment 7 Thomas Haller 2021-06-24 05:59:31 UTC 
(In reply to Beniamino Galvani from comment #6)
> From what I understand MSCHAPv2 uses SHA1. According to this:
> 
>   https://bugzilla.redhat.com/show_bug.cgi?id=1959016
> 
> SHA1 is disabled in LEGACY policy. There should be a "SHA1" policy modifier
> to re-enable it:
> 
>   update-crypto-policies --set DEFAULT:SHA1
> 
> I'm going to try when the beaker machine becomes ready.

thanks. That sound good.

I tested it on gsm-r5s6-01.wlan.rhts.eng.bos.redhat.com, both to set "DEFAULT:SHA1" and "LEGACY:SHA1", then restart NetworkManager and wpa_supplicant service. That did not avoid the test failure though!...
Comment 8 Vladimir Benes 2021-06-24 09:41:53 UTC 

*** This bug has been marked as a duplicate of bug 1975718 ***