Bug 806128

Summary: Problem connecting WPA WiFi with TLS (certificate) authentication on Fedora 17
Product: [Fedora] Fedora Reporter: Michal Ambroz <rebus>
Component: wpa_supplicantAssignee: Dan Williams <dcbw>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 17CC: atigro, dcbw, jklimes, jvpgomes, rebus
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-17 15:14:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Ambroz 2012-03-23 01:12:18 UTC 
Description of problem:
In Fedora 17 there is issue connecting to the WiFi network with WPA EAP authenticated with the user certificate. 

When monitoring the communication (airmon-ng start wlan0, wireshark) everything goes well, certificate is loaded, WiFi accesspont is associated and then at some point:
1)EAP - access point requests identity 
2) wpa supplicant provides identity
3) AP requests for authentication
4) wpa_supplicants sends SSL "Client Hello" to establish ssl. It offers the encryption protocols 
5) The AP replies with "Deauthentication, authentication failed."

My Certificates+WIFI are valid and proven to work (Fedora 16, Windows XP).


Version-Release number of selected component (if applicable):
wpa_supplicant-1.0-0.3.fc17.x86_64


How reproducible:
100%
Can be reproduced with using Network Manager and as well using the wpa_supplicant directly. 

Steps to Reproduce:
1. Configure to connect to WPA+EAP+TLS Access point
Network Manager/Network Name/Other
Network name: name of the network
Wireless Security: WPA&WPA2 Enterprise
Authentication: TLS
Fill identity, user certificate, ca certificate, private key provate password 
Connect

2. Trace the network traffic with airmon-ng + wireshark 
3. In the packet capture look for the SSL client hello
  
Actual results:
SSL client hello is directly followed with deauthenticated response from the Access point..

Expected results:
wpa_supplicant should be instead able to agree with the server on some encryption mechanism common for them and send the authentication itself.

Additional info:
might or might not be related to bug 802552
Comment 1 Michal Ambroz 2012-03-23 12:33:25 UTC 
Tried to downgrade to wpa_supplicant-1.0-0.2.fc17.x86_64.rpm as suggested in 802552 and it works with version wpa_supplicant-1.0-0.2.fc17.x86_64.rpm.
Comment 2 Michal Ambroz 2012-03-23 12:45:09 UTC 
Changed karma of https://admin.fedoraproject.org/updates/FEDORA-2012-2857/wpa_supplicant-1.0-0.3.fc17
Comment 3 Jirka Klimes 2012-04-17 15:14:46 UTC 

*** This bug has been marked as a duplicate of bug 802552 ***