Summary: | Incorrectly rejects PEM files with missing trailing newline | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Joel Uckelman <uckelman> | ||||||||
Component: | NetworkManager | Assignee: | Dan Williams <dcbw> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | low | ||||||||||
Version: | 11 | CC: | arxs, danw, dcbw | ||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | x86_64 | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | 0.2.997-4.git20091218.fc12 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2010-01-02 21:27:53 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Attachments: |
|
I should point out that this problem is more severe than I originally thought, as it prevents everyone at the University of Amsterdam from using NetworkManager. Created attachment 351704 [details] posible solution of the problem I'm able to reproduce your bug with the ct_root.der from UVA Well, i don't understand Dutch, but according to http://home.medewerker.uva.nl/j.jongepier/bestanden/Handleiding_NetworkManager.pdf Page 7: Mocht de 'Connect' knop grijs blijven dan herkent NetworkManager het certificaat niet, tenminste als je werkt met Fedora 10. Echter, door het toevoegen van een witregel aanhet einde van het certificaat pakt NetworkManager het certificaat wel. Gemakshalve hebik dat alvast zelf even gedaan en het aangepaste certificaat on-line gezet [3]. Use the ct_root.der from http://home.medewerkers.uva.nl/j.jongepier/bestanden/uvadraadloos/ct_root.der This magicly enable the "connect" button. Can you please give it a try? (In reply to comment #2) > > Can you please give it a try? > The Dutch amounts to "add a newline to the end of the certificate and it will work". That's a page I would not have found myself, thanks for pointing it out. Adding a newline to the end of the certificate provided by the UvA is sufficient to get NetworkManager to recognize it. Now the question is, whose problem is it? Is the certificate malformed because it doesn't end with a blank line, or is NetworkManager improperly rejecting a properly-formatted certificate? The PEM format is based on Section 9 of RFC 1421, (Note that this is a PEM certificate, despite being named .der!) The relevant portion is here: <posteb> ::= "-----END PRIVACY-ENHANCED MESSAGE-----" CRLF / <preeb> For PEM certificates, the name of the boundary is "CERTIFICATE" rather than "PRIVACY-ENHANCED MESSAGE". The end boundary should be followed by either another beginning boundary or by a newline. So, I conclude that NetworkManager is doing the right thing by the standard and the certificate being distributed by the UvA is broken. That said, would it be a bad thing if NetworkManager accepted PEM certificates which are missing their trailing newline? (All of the windows users around here have had no problem with the broken certificate because whatever they're using to connect doesn't care whether it ends with a newline.) I should also mention that wpa_supplicant accepts the broken PEM certificate when invoked manually, so there is precedent for accepting such things. NM should just handle this. Note that I can't seem to duplicate the issue with NM 0.8 in F12. Will try with NM 0.7.x in F11 as well. I can't reproduce it either with latest F-11 updates-testing using the ct_root.der certificate linked above. I believe this bug is fixed by: NetworkManager-0.7.1.998-1.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update NetworkManager'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-10696 Please let me know if that build doesn't work for you, thanks! (In reply to comment #7) > I can't reproduce it either with latest F-11 updates-testing using the > ct_root.der certificate linked above. I believe this bug is fixed by: > > NetworkManager-0.7.1.998-1.fc11 I've tried that version from testing, and the problem persists. Joel, can you attach your CA certificate so I can ensure I have the right one when testing? Created attachment 370197 [details]
broken cert
This is the original broken cert.
(In reply to comment #10) > Created an attachment (id=370197) [details] > broken cert > > This is the original broken cert. Excellent. I can reproduce your problem now. (In reply to comment #11) > (In reply to comment #10) > > Created an attachment (id=370197) [details] [details] > > broken cert > > > > This is the original broken cert. > > Excellent. I can reproduce your problem now. If you were grabbing the UvA's current cert, after some point that would have been the corrected one (which happened because I complained). :) 15497fd10fc5557a1f7af3b630e90dc51111dbbd (master) d3d778d3ab7e6f290ea263b994672cbcd0762e1d (0.7.x) Thanks! Should show up in new Fedora builds soon, at least for F11 and higher. mobile-broadband-provider-info-1.20090918-1.fc11, NetworkManager-0.7.2-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. NetworkManager-0.7.997-1.fc12,ModemManager-0.2.997-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/NetworkManager-0.7.997-1.fc12,ModemManager-0.2.997-1.fc12 NetworkManager-0.7.997-1.fc12, ModemManager-0.2.997-1.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update NetworkManager ModemManager'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-13012 NetworkManager-0.7.997-2.git20091214.fc12,ModemManager-0.2.997-2.git20091214.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/NetworkManager-0.7.997-2.git20091214.fc12,ModemManager-0.2.997-2.git20091214.fc12 I have confirmed that the update fixes the problem. NetworkManager-0.7.997-2.git20091214.fc12, ModemManager-0.2.997-2.git20091214.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update NetworkManager ModemManager'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-13165 ModemManager-0.2.997-3.git20091216.fc12, NetworkManager-0.7.997-2.git20091214.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ModemManager NetworkManager'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-13165 ModemManager-0.2.997-4.git20091218.fc12, NetworkManager-0.7.997-2.git20091214.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update ModemManager NetworkManager'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-13165 ModemManager-0.2.997-4.git20091218.fc12, NetworkManager-0.7.997-2.git20091214.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 348873 [details] screenshot of the problem Description of problem: The uni where I work changed their wireless network setup two weeks ago. Since then, it's been impossible to connect with NetworkManager. The problem is that after entering all of the details in the auth dialog, the "Connect" button never becomes enabled. You can see what happens in the attached screenshot. Version-Release number of selected component (if applicable): NetworkManager-0.7.1-4.git20090414.fc11.x86_64 How reproducible: Always. Steps to Reproduce: 1. Log in in range of a UvA or eduroam access point. 2. Attempt to connect with NetworkManager. Actual results: Connect button disabled. Expected results: Connect button enabled. Additional info: It's possible to connect using what appear to be identical settings using wpa_supplicant directly---I'm connected that way now: wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf.uva dchlient wlan0 Here's my working wpa_supplicant.conf.uva: ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="eduroam" scan_ssid=1 key_mgmt=WPA-EAP eap=TTLS anonymous_identity="anonymous" identity="juckelm1" password="password" phase2="auth=PAP" ca_cert="/etc/pki/uva/ct_root.der" }