Bug 498323
Summary: | /etc/pki/tls/certs/ca-bundle.crt does not work with WPA2 enterprise wireless and NetworkManager. Worked on initial 10 release and continues to version 11. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Robert Freeman-Day <presgas> |
Component: | ca-certificates | Assignee: | Joe Orton <jorton> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 11 | CC: | dcbw, jorton, mike.cloaked, presgas, rdieter, tmraz, trueflint |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 12 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-06-28 12:16:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Attachments: |
Description
Robert Freeman-Day
2009-04-29 20:54:54 UTC
I've experienced this too (actually I am the one who called the OP's attention to this problem). It is exactly as he says, although I was not attempting to do this when Fedora 10 first released, so I had not seen it work correctly then. Downloading the Premium Server CA certificate directly from Thawte and having it in a file by itself works. Using /etc/pki/tls/cert.pem from the ca-certificates RPM (a symbolic link to /etc/pki/tls/certs/ca-bundle.crt) does not. This is despite the fact that the Thawte certificate appears to be one of those in ca-bundle.crt. I am not certain whether the problem is in the ca-certificates package or in NetworkManager, and I am not sure whether it is because the certificate is embedded in a bundled file or because cert.pem is a symlink. But putting the Thawte certificate in a regular (non-symlink) file, by itself, and directing NetworkManager to use that certificate, works. Without this workaround, it is not possible to connect to the wireless service in question, which does use WPA2 enterprise security, with PEAP v0 and MSCHAPv2. Posted update to another bug I was following regarding this. https://bugzilla.redhat.com/show_bug.cgi?id=446920 Why can't the CAs be separated into separate pem files instead of a big bundle like SUSE and the deb based distros? Created attachment 342688 [details]
failed connection with unmodified /etc/pki/tls/certs/ca-bundle.crt
Created attachment 342689 [details]
successful connection with modified /etc/pki/tls/certs/ca-bundle.crt
Created attachment 342690 [details]
Unmodified ca-bundle.crt
Created attachment 342691 [details]
cert bundle with Thawte Premeum Server CA moved to top of file
Our wireless setup is utilizing Thawte Premium Server as its CA. I compared it to an Ubuntu install and they were the same. I decided to test to see if the monolithic bundle may not be able to be parsed down to the CA I wanted, so I edited /etc/pki/tls/certs/ca-bundle.crt and moved the Thawte Premium Server CA to the top (see attachments). When doing this, I was able to connect without issue (see attachments). I see some issues with this. First, that there is some kind of corruption/change in /etc/pki/tls/certs/ca-bundle.crt that will not let wpa_supplicant get down to the CA. Second, if the CAs were separated out with their own file, this would not have been a problem. Third, Network Manager does not seem to be able to parse out a file so that it finds the CA requested. Is there a way to look into this? As it stands, people at my university cannot connect wirelessly without modification. This bug is still in existence in Fedora 11. Updating info to reflect. I will soon need to make wireless connections to our institution using the Equifax cert - I notice that this is included in the ca-certificates package, but also is available as an explicit file at /usr/share/purple/ca-certs/Equifax_Secure_CA.pem so the certificate in question in my case can be referenced directly. However presumably the same issue as in this bz will apply. You may be able to point to another file, and our work around is getting the cert directly from Thawte, but that does not change the fact that this issue exists. I still want to know why this cannot be broken up into separate files to prevent cases like this when an app cannot parse the monolithic file. I would be curious, Mike, if you are able to utilize the ca-bundle.crt when you roll out your wireless setup, so please report back on this bug report. Our changeover of the authentication for our institution system to using the Equifax cert is due to happen from 25th August, so I won't be able to check that until then. Once the authentication change has happened I will try it out and report back. This issue is fixed for me in Fedora 12. It is using ca-certificates-2009-2.fc12 with /etc/pki/tls/certs/ca-bundle.crt version 1.53. Fedora 11 which still has the problem is using ca-certificates-2008-8 with /etc/pki/tls/certs/ca-bundle.crt version 1.49. Fedora 10 and RHEL are also using some kind of older version of the ca-certificates package as well and exhibiting this issue. Can there be a way to push updates to RHEL/10/11 to get this fix pushed through. I know it is a simple package and workarounds can be easily found, however if the CA bundle is corrupt in any way other services that need this file could be impacted besides WPA2 enterprise wireless. As a final note, I am very disappointed with the quality assurance and the assignee on this. The end users heard absolutely NOTHING from them. Seeing as this impacts an enterprise OS as well as Fedora, this does not bode well. It is a simple bug and could have been simply fixed on the packagers end in my opinion. Please fix this in RHEL/10/11. From the NetworkManager side, NM 0.8 (available in F12+) has been modified to better handle large certificate bundles. RHEL 5, F10, and F11 use NM 0.7, which does not have the fix and therefore may work badly with large certificate bundles. This message is a reminder that Fedora 11 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 11. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '11'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 11's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 11 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. Do you guys even look at these bug reports?!? Do you read the comment threads??? This fix is not backported to your currently supported enterprise OS. There are flags asking for more info that were not answered nor cleared. This is just bad. I am very disappointed in your triaging. I see Dan Williams said it was fixed in 12, but your Enterprise OS needs this fix as well. This is a Fedora bug report. For Red Hat Enterprise Linux support requests, please contact the Red Hat support. http://www.redhat.com/support/ |