Bug 507315

Summary: Incorrectly rejects PEM files with missing trailing newline
Product: [Fedora] Fedora Reporter: Joel Uckelman <uckelman>
Component: NetworkManagerAssignee: Dan Williams <dcbw>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: arxs, danw, dcbw
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 0.2.997-4.git20091218.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-02 21:27:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
screenshot of the problem
none
posible solution of the problem
none
broken cert none

Description Joel Uckelman 2009-06-22 10:23:51 UTC
Created attachment 348873 [details]
screenshot of the problem

Description of problem:

The uni where I work changed their wireless network setup two weeks ago. Since then, it's been impossible to connect with NetworkManager. The problem is that after entering all of the details in the auth dialog, the "Connect" button never becomes enabled. You can see what happens in the attached screenshot.

Version-Release number of selected component (if applicable):

NetworkManager-0.7.1-4.git20090414.fc11.x86_64

How reproducible:

Always.

Steps to Reproduce:
1. Log in in range of a UvA or eduroam access point.
2. Attempt to connect with NetworkManager.
  
Actual results:

Connect button disabled.


Expected results:

Connect button enabled.


Additional info:

It's possible to connect using what appear to be identical settings using wpa_supplicant directly---I'm connected that way now:

wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf.uva
dchlient wlan0

Here's my working wpa_supplicant.conf.uva:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

network={
	ssid="eduroam"
	scan_ssid=1
	key_mgmt=WPA-EAP
	eap=TTLS
	anonymous_identity="anonymous"
	identity="juckelm1"
	password="password"
	phase2="auth=PAP"
	ca_cert="/etc/pki/uva/ct_root.der"
}

Comment 1 Joel Uckelman 2009-07-06 18:16:20 UTC
I should point out that this problem is more severe than I originally thought, as it prevents everyone at the University of Amsterdam from using NetworkManager.

Comment 2 Niels Haase 2009-07-14 22:36:07 UTC
Created attachment 351704 [details]
posible solution of the problem

I'm able to reproduce your bug with the ct_root.der from UVA


Well, i don't understand Dutch, but according to 
http://home.medewerker.uva.nl/j.jongepier/bestanden/Handleiding_NetworkManager.pdf
Page 7:

Mocht de 'Connect' knop grijs blijven dan herkent NetworkManager het certificaat niet, tenminste als je werkt met Fedora 10. Echter, door het toevoegen van een witregel aanhet einde van het certificaat pakt NetworkManager het certificaat wel. Gemakshalve hebik dat alvast zelf even gedaan en het aangepaste certificaat on-line gezet [3].

Use the ct_root.der from
http://home.medewerkers.uva.nl/j.jongepier/bestanden/uvadraadloos/ct_root.der

This magicly enable the "connect" button.

Can you please give it a try?

Comment 3 Joel Uckelman 2009-07-15 11:19:01 UTC
(In reply to comment #2)
>
> Can you please give it a try?  
>

The Dutch amounts to "add a newline to the end of the certificate and it will work". That's a page I would not have found myself, thanks for pointing it out.

Adding a newline to the end of the certificate provided by the UvA is sufficient to get NetworkManager to recognize it.

Now the question is, whose problem is it? Is the certificate malformed because it doesn't end with a blank line, or is NetworkManager improperly rejecting a properly-formatted certificate? The PEM format is based on Section 9 of RFC 1421, (Note that this is a PEM certificate, despite being named .der!) The relevant portion is here:

<posteb> ::= "-----END PRIVACY-ENHANCED MESSAGE-----" CRLF / <preeb>

For PEM certificates, the name of the boundary is "CERTIFICATE" rather than "PRIVACY-ENHANCED MESSAGE". The end boundary should be followed by either another beginning boundary or by a newline.

So, I conclude that NetworkManager is doing the right thing by the standard and the certificate being distributed by the UvA is broken.

That said, would it be a bad thing if NetworkManager accepted PEM certificates which are missing their trailing newline? (All of the windows users around here have had no problem with the broken certificate because whatever they're using to connect doesn't care whether it ends with a newline.)

Comment 4 Joel Uckelman 2009-07-15 11:26:33 UTC
I should also mention that wpa_supplicant accepts the broken PEM certificate when invoked manually, so there is precedent for accepting such things.

Comment 5 Dan Williams 2009-10-26 22:07:32 UTC
NM should just handle this.

Comment 6 Dan Williams 2009-11-11 22:39:05 UTC
Note that I can't seem to duplicate the issue with NM 0.8 in F12.  Will try with NM 0.7.x in F11 as well.

Comment 7 Dan Williams 2009-11-11 23:41:56 UTC
I can't reproduce it either with latest F-11 updates-testing using the ct_root.der certificate linked above.  I believe this bug is fixed by:

NetworkManager-0.7.1.998-1.fc11 has been pushed to the Fedora
11 testing repository.  If problems still persist, please make note of it in
this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update NetworkManager'.  You can provide feedback for this update
here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-10696  

Please let me know if that build doesn't work for you, thanks!

Comment 8 Joel Uckelman 2009-11-18 14:14:26 UTC
(In reply to comment #7)
> I can't reproduce it either with latest F-11 updates-testing using the
> ct_root.der certificate linked above.  I believe this bug is fixed by:
> 
> NetworkManager-0.7.1.998-1.fc11

I've tried that version from testing, and the problem persists.

Comment 9 Dan Williams 2009-11-18 20:53:10 UTC
Joel, can you attach your CA certificate so I can ensure I have the right one when testing?

Comment 10 Joel Uckelman 2009-11-18 21:06:34 UTC
Created attachment 370197 [details]
broken cert

This is the original broken cert.

Comment 11 Dan Williams 2009-11-18 21:16:25 UTC
(In reply to comment #10)
> Created an attachment (id=370197) [details]
> broken cert
> 
> This is the original broken cert.  

Excellent.  I can reproduce your problem now.

Comment 12 Joel Uckelman 2009-11-18 22:00:57 UTC
(In reply to comment #11)
> (In reply to comment #10)
> > Created an attachment (id=370197) [details] [details]
> > broken cert
> > 
> > This is the original broken cert.  
> 
> Excellent.  I can reproduce your problem now.  

If you were grabbing the UvA's current cert, after some point that would have been the corrected one (which happened because I complained). :)

Comment 13 Dan Williams 2009-11-19 00:39:45 UTC
15497fd10fc5557a1f7af3b630e90dc51111dbbd (master)
d3d778d3ab7e6f290ea263b994672cbcd0762e1d (0.7.x)

Thanks!  Should show up in new Fedora builds soon, at least for F11 and higher.

Comment 14 Fedora Update System 2009-12-07 07:35:46 UTC
mobile-broadband-provider-info-1.20090918-1.fc11, NetworkManager-0.7.2-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2009-12-08 08:23:25 UTC
NetworkManager-0.7.997-1.fc12,ModemManager-0.2.997-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/NetworkManager-0.7.997-1.fc12,ModemManager-0.2.997-1.fc12

Comment 16 Fedora Update System 2009-12-10 04:24:02 UTC
NetworkManager-0.7.997-1.fc12, ModemManager-0.2.997-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update NetworkManager ModemManager'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-13012

Comment 17 Fedora Update System 2009-12-14 22:48:57 UTC
NetworkManager-0.7.997-2.git20091214.fc12,ModemManager-0.2.997-2.git20091214.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/NetworkManager-0.7.997-2.git20091214.fc12,ModemManager-0.2.997-2.git20091214.fc12

Comment 18 Joel Uckelman 2009-12-15 19:53:50 UTC
I have confirmed that the update fixes the problem.

Comment 19 Fedora Update System 2009-12-16 01:08:30 UTC
NetworkManager-0.7.997-2.git20091214.fc12, ModemManager-0.2.997-2.git20091214.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update NetworkManager ModemManager'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-13165

Comment 20 Fedora Update System 2009-12-18 04:26:28 UTC
ModemManager-0.2.997-3.git20091216.fc12, NetworkManager-0.7.997-2.git20091214.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update ModemManager NetworkManager'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-13165

Comment 21 Fedora Update System 2009-12-22 04:48:53 UTC
ModemManager-0.2.997-4.git20091218.fc12, NetworkManager-0.7.997-2.git20091214.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update ModemManager NetworkManager'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-13165

Comment 22 Fedora Update System 2010-01-02 21:27:09 UTC
ModemManager-0.2.997-4.git20091218.fc12, NetworkManager-0.7.997-2.git20091214.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.