Bug 1362449 - Captive Portal always fails on TLS error
Summary: Captive Portal always fails on TLS error
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: gnome-shell
Version: 24
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Debarshi Ray
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-02 08:38 UTC by Langdon White
Modified: 2016-11-30 05:29 UTC (History)
4 users (show)

Fixed In Version: gnome-shell-3.20.4-3.fc24 gnome-shell-3.22.2-2.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-30 03:52:56 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
GNOME Bugzilla 769940 None None None 2016-09-29 14:31:58 UTC

Description Langdon White 2016-08-02 08:38:36 UTC
Description of problem:

Whenever I connect to a new wifi hotspot that has a captive portal signon, I get a TLS error: "Peer failed to perform TLS handshake"


Version-Release number of selected component (if applicable):
gnome-shell.x86_64 3.20.3-3.fc24 

How reproducible: Always

Notes:
Hard to tell where this issue is. Seems to happen both with local dns resolver and with that disabled. One theory I heard was this may be related to the change to http://fedoraproject.org/static/hotspot.txt to use HSTS which would, possibly, disallow connecting to the "wrong" server when the captive portal redirects the url you are trying to the captive portal login.

Comment 1 Dimitris 2016-08-19 07:56:12 UTC
I'm seeing something very similar in the hotel I'm in at the moment:
- connectivity check is 302-redirected to an https URL

- As far as I can tell with "openssl s_client -connect", the certificate chain presented by that server contains only one certificate - an ATT WiFi services cert of some sort.  It appears that the cert is not itself in, or signed by, any root CA recognized by the captive portal window.

- The captive portal window is blank, with just the text "Unacceptable TLS certificate" shown.

I can get around that by opening a Firefox tab to e.g. https://yahoo.com, and temporarily accepting the certificate.  Then I can complete the captive portal flow.

The next NM periodic connectivity check then succeeds, of course, which is how I'm online now.

FWIW based on what I see in curl before the browser workaround, this is a squid-based, evidently somewhat crappy, captive portal.

Is it possible to allow the (webkit-based?) browser window to accept invalid certificates, temporarily?  It's not like I'm using any real credentials on the captive portal - just one of those not-secret-at-all "access codes" that the hotel hands to every guest, throughout the whole calendar year based on its format.

Comment 2 Dimitris 2016-08-19 08:00:27 UTC
After disconnecting my VPN I could connect to the HTTPS port again, here's the cert chain if this helps:

$ openssl s_client -connect nmd.hil-sangqhf.snd.wayport.net:443
CONNECTED(00000003)
depth=4 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=3 C = BE, OU = Trusted Root, O = GlobalSign nv-sa, CN = Trusted Root CA SHA256 G2
verify return:1
depth=2 C = US, ST = Texas, O = ATT Services Inc, OU = ATT Wi-Fi Services, CN = ATT Wi-Fi Services Root Certificate Authority G3
verify return:1
depth=1 C = US, ST = Texas, O = ATT Services Inc, OU = ATT Wi-Fi Services, CN = ATT Wi-Fi Services Managed Device Certificate Authority G3
verify return:1
depth=0 C = US, ST = Texas, O = ATT Services Inc, OU = ATT Wi-Fi Services, CN = nmd.hil-sangqhf.snd.wayport.net
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Texas/O=ATT Services Inc/OU=ATT Wi-Fi Services/CN=nmd.hil-sangqhf.snd.wayport.net
   i:/C=US/ST=Texas/O=ATT Services Inc/OU=ATT Wi-Fi Services/CN=ATT Wi-Fi Services Managed Device Certificate Authority G3
 1 s:/C=US/ST=Texas/O=ATT Services Inc/OU=ATT Wi-Fi Services/CN=ATT Wi-Fi Services Managed Device Certificate Authority G3
   i:/C=US/ST=Texas/O=ATT Services Inc/OU=ATT Wi-Fi Services/CN=ATT Wi-Fi Services Root Certificate Authority G3
 2 s:/C=US/ST=Texas/O=ATT Services Inc/OU=ATT Wi-Fi Services/CN=ATT Wi-Fi Services Root Certificate Authority G3
   i:/C=BE/OU=Trusted Root/O=GlobalSign nv-sa/CN=Trusted Root CA SHA256 G2
 3 s:/C=BE/OU=Trusted Root/O=GlobalSign nv-sa/CN=Trusted Root CA SHA256 G2
   i:/OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
---

Comment 3 Dimitris 2016-08-19 16:03:38 UTC
Possible upstream: https://bugzilla.gnome.org/show_bug.cgi?id=769940

Comment 4 Fedora Update System 2016-11-23 23:20:45 UTC
gnome-shell-3.20.4-3.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-56bb22fcb9

Comment 5 Fedora Update System 2016-11-24 14:41:11 UTC
webkitgtk4-2.14.2-1.fc25 vala-0.34.3-1.fc25 swell-foop-3.22.2-1.fc25 polari-3.22.2-1.fc25 orca-3.22.2-1.fc25 mutter-3.22.2-1.fc25 lightsoff-3.22.2-1.fc25 libgdata-0.17.6-3.fc25 libappstream-glib-0.6.5-1.fc25 gvfs-1.30.2-1.fc25 gupnp-tools-0.8.13-1.fc25 gucharmap-9.0.2-1.fc25 gtksourceview3-3.22.1-1.fc25 gtk3-3.22.4-1.fc25 gtk-doc-1.25-2.fc25 gspell-1.2.1-1.fc25 gnome-system-monitor-3.22.2-1.fc25 gnome-sudoku-3.22.2-1.fc25 gnome-software-3.22.2-1.fc25 gnome-shell-extensions-3.22.2-1.fc25 gnome-shell-3.22.2-2.fc25 gnome-session-3.22.2-1.fc25 gnome-robots-3.22.1-1.fc25 gnome-power-manager-3.22.2-1.fc25 gnome-photos-3.22.2-1.fc25 gnome-online-accounts-3.22.2-1.fc25 gnome-nibbles-3.22.2.2-1.fc25 gnome-music-3.22.2-1.fc25 gnome-mines-3.22.2-1.fc25 gnome-maps-3.22.2-1.fc25 gnome-klotski-3.22.1-1.fc25 gnome-disk-utility-3.22.1-1.fc25 gnome-desktop3-3.22.2-1.fc25 gnome-color-manager-3.22.2-1.fc25 gnome-chess-3.22.2-1.fc25 gnome-calculator-3.22.2-1.fc25 gnome-boxes-3.22.3-1.fc25 glib2-2.50.2-1.fc25 four-in-a-row-3.22.1-1.fc25 five-or-more-3.22.2-1.fc25 file-roller-3.22.2-1.fc25 evolution-ews-3.22.2-1.fc25 evolution-data-server-3.22.2-1.fc25 evolution-3.22.2-1.fc25 epiphany-3.22.3-1.fc25 baobab-3.22.1-1.fc25 aisleriot-3.22.1-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5522a26f9b

Comment 6 Fedora Update System 2016-11-25 09:39:34 UTC
gnome-shell-3.20.4-3.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-56bb22fcb9

Comment 7 Fedora Update System 2016-11-27 22:58:10 UTC
aisleriot-3.22.1-1.fc25, baobab-3.22.1-1.fc25, epiphany-3.22.3-1.fc25, evolution-3.22.2-1.fc25, evolution-data-server-3.22.2-1.fc25, evolution-ews-3.22.2-1.fc25, file-roller-3.22.2-1.fc25, five-or-more-3.22.2-1.fc25, four-in-a-row-3.22.1-1.fc25, glib2-2.50.2-1.fc25, gnome-boxes-3.22.3-1.fc25, gnome-calculator-3.22.2-1.fc25, gnome-chess-3.22.2-1.fc25, gnome-color-manager-3.22.2-1.fc25, gnome-desktop3-3.22.2-1.fc25, gnome-disk-utility-3.22.1-1.fc25, gnome-klotski-3.22.1-1.fc25, gnome-maps-3.22.2-1.fc25, gnome-mines-3.22.2-1.fc25, gnome-music-3.22.2-1.fc25, gnome-nibbles-3.22.2.2-1.fc25, gnome-online-accounts-3.22.2-1.fc25, gnome-photos-3.22.2-1.fc25, gnome-power-manager-3.22.2-1.fc25, gnome-robots-3.22.1-1.fc25, gnome-session-3.22.2-1.fc25, gnome-shell-3.22.2-2.fc25, gnome-shell-extensions-3.22.2-1.fc25, gnome-software-3.22.2-1.fc25, gnome-sudoku-3.22.2-1.fc25, gnome-system-monitor-3.22.2-1.fc25, gspell-1.2.1-1.fc25, gtk-doc-1.25-2.fc25, gtk3-3.22.4-1.fc25, gtksourceview3-3.22.1-1.fc25, gucharmap-9.0.2-1.fc25, gupnp-tools-0.8.13-1.fc25, gvfs-1.30.2-1.fc25, libappstream-glib-0.6.5-1.fc25, libgdata-0.17.6-3.fc25, lightsoff-3.22.2-1.fc25, mutter-3.22.2-1.fc25, orca-3.22.2-1.fc25, polari-3.22.2-1.fc25, swell-foop-3.22.2-1.fc25, vala-0.34.3-1.fc25, webkitgtk4-2.14.2-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5522a26f9b

Comment 8 Fedora Update System 2016-11-30 03:52:56 UTC
gnome-shell-3.20.4-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2016-11-30 05:29:23 UTC
aisleriot-3.22.1-1.fc25, baobab-3.22.1-1.fc25, epiphany-3.22.3-1.fc25, evolution-3.22.2-1.fc25, evolution-data-server-3.22.2-1.fc25, evolution-ews-3.22.2-1.fc25, file-roller-3.22.2-1.fc25, five-or-more-3.22.2-1.fc25, four-in-a-row-3.22.1-1.fc25, glib2-2.50.2-1.fc25, gnome-boxes-3.22.3-1.fc25, gnome-calculator-3.22.2-1.fc25, gnome-chess-3.22.2-1.fc25, gnome-color-manager-3.22.2-1.fc25, gnome-desktop3-3.22.2-1.fc25, gnome-disk-utility-3.22.1-1.fc25, gnome-klotski-3.22.1-1.fc25, gnome-maps-3.22.2-1.fc25, gnome-mines-3.22.2-1.fc25, gnome-music-3.22.2-1.fc25, gnome-nibbles-3.22.2.2-1.fc25, gnome-online-accounts-3.22.2-1.fc25, gnome-photos-3.22.2-1.fc25, gnome-power-manager-3.22.2-1.fc25, gnome-robots-3.22.1-1.fc25, gnome-session-3.22.2-1.fc25, gnome-shell-3.22.2-2.fc25, gnome-shell-extensions-3.22.2-1.fc25, gnome-software-3.22.2-1.fc25, gnome-sudoku-3.22.2-1.fc25, gnome-system-monitor-3.22.2-1.fc25, gspell-1.2.1-1.fc25, gtk-doc-1.25-2.fc25, gtk3-3.22.4-1.fc25, gtksourceview3-3.22.1-1.fc25, gucharmap-9.0.2-1.fc25, gupnp-tools-0.8.13-1.fc25, gvfs-1.30.2-1.fc25, libappstream-glib-0.6.5-1.fc25, libgdata-0.17.6-3.fc25, lightsoff-3.22.2-1.fc25, mutter-3.22.2-1.fc25, orca-3.22.2-1.fc25, polari-3.22.2-1.fc25, swell-foop-3.22.2-1.fc25, vala-0.34.3-1.fc25, webkitgtk4-2.14.2-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.