Created attachment 1513309 [details] wpa_supplicant failure logs After upgrading to F29, one of the test cases in NetworkManager CI suite started to fail. The test starts hostapd with wired 802.1X EAP-TLS authentication and tries to establish a connection using NetworkManager and wpa_supplicant. In the packet trace and connection logs I see that the client sends a first fragment of the EAP-TLS response in the TLS handshake, but never sends the remaining fragments. Since I tested the same version of wpa_supplicant on both F28 and F29 and only the latter doesn't work, I suspect this is an issue with OpenSSl. I'll attach wpa_supplicant logs for the working version (openssl-1.1.0h-3) and for the failing one (openssl-1.1.1-3.fc29) as well as a failing packet capture (it's not the same run as the log).
Created attachment 1513310 [details] wpa_supplicant success logs
Created attachment 1513311 [details] packet capture
Is there any change if you change the system crypto policy to LEGACY? update-crypto-policies --set LEGACY Or even try to move the /etc/crypto-policies/back-ends/opensslcnf.config out of the way temporarily. As the file is read on application startup a restart of the system might be needed.
(In reply to Tomas Mraz from comment #3) > Is there any change if you change the system crypto policy to LEGACY? > > update-crypto-policies --set LEGACY no this doesn't help, but downgrading wpa_supplicant to version wpa_supplicant-2.6-4.el7 helped > > Or even try to move the /etc/crypto-policies/back-ends/opensslcnf.config out > of the way temporarily. As the file is read on application startup a restart > of the system might be needed.
(In reply to Vladimir Benes from comment #4) > (In reply to Tomas Mraz from comment #3) > > Is there any change if you change the system crypto policy to LEGACY? > > > > update-crypto-policies --set LEGACY > > no this doesn't help, but downgrading wpa_supplicant to version > wpa_supplicant-2.6-4.el7 helped That one links to openssl-1.0.2 so that is not surprising that it helped. https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog mentions that support for openssl-1.1.1 was added in version 2.7 of wpa_supplicant. So it will probably require fixing it there either by upgrade or backport of the changes needed.
(In reply to Tomas Mraz from comment #5) > (In reply to Vladimir Benes from comment #4) > > (In reply to Tomas Mraz from comment #3) > > > Is there any change if you change the system crypto policy to LEGACY? > > > > > > update-crypto-policies --set LEGACY > > > > no this doesn't help, but downgrading wpa_supplicant to version > > wpa_supplicant-2.6-4.el7 helped > > That one links to openssl-1.0.2 so that is not surprising that it helped. > > https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog mentions that > support for openssl-1.1.1 was added in version 2.7 of wpa_supplicant. So it > will probably require fixing it there either by upgrade or backport of the > changes needed. the update of wpa_supplicant to version 2.7 is now tracked with bz1658804. test rpm are available at https://copr.fedorainfracloud.org/coprs/dcaratti/wpa_supplicant/build/836854/ -- davide
wpa_supplicant-2.7-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-cbc2352475
wpa_supplicant-2.7-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-cbc2352475
wpa_supplicant-2.7-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.