Bug 1658110 - EAP-TLS authentication doesn't work with wpa_supplicant in F29
Summary: EAP-TLS authentication doesn't work with wpa_supplicant in F29
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: wpa_supplicant
Version: 29
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Lubomir Rintel
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-11 09:35 UTC by Beniamino Galvani
Modified: 2018-12-24 06:07 UTC (History)
9 users (show)

Fixed In Version: wpa_supplicant-2.7-1.fc29
Clone Of:
Environment:
Last Closed: 2018-12-24 06:07:28 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
wpa_supplicant failure logs (80.80 KB, text/plain)
2018-12-11 09:35 UTC, Beniamino Galvani
no flags Details
wpa_supplicant success logs (87.49 KB, text/plain)
2018-12-11 09:35 UTC, Beniamino Galvani
no flags Details
packet capture (9.21 KB, application/vnd.tcpdump.pcap)
2018-12-11 09:36 UTC, Beniamino Galvani
no flags Details

Description Beniamino Galvani 2018-12-11 09:35:14 UTC
Created attachment 1513309 [details]
wpa_supplicant failure logs

After upgrading to F29, one of the test cases in NetworkManager CI
suite started to fail. The test starts hostapd with wired 802.1X
EAP-TLS authentication and tries to establish a connection using
NetworkManager and wpa_supplicant. In the packet trace and connection
logs I see that the client sends a first fragment of the EAP-TLS
response in the TLS handshake, but never sends the remaining
fragments. Since I tested the same version of wpa_supplicant on both
F28 and F29 and only the latter doesn't work, I suspect this is an
issue with OpenSSl.

I'll attach wpa_supplicant logs for the working version
(openssl-1.1.0h-3) and for the failing one (openssl-1.1.1-3.fc29) as
well as a failing packet capture (it's not the same run as the log).

Comment 1 Beniamino Galvani 2018-12-11 09:35:51 UTC
Created attachment 1513310 [details]
wpa_supplicant success logs

Comment 2 Beniamino Galvani 2018-12-11 09:36:10 UTC
Created attachment 1513311 [details]
packet capture

Comment 3 Tomas Mraz 2018-12-11 15:44:17 UTC
Is there any change if you change the system crypto policy to LEGACY?

update-crypto-policies --set LEGACY

Or even try to move the /etc/crypto-policies/back-ends/opensslcnf.config out of the way temporarily. As the file is read on application startup a restart of the system might be needed.

Comment 4 Vladimir Benes 2018-12-12 11:33:54 UTC
(In reply to Tomas Mraz from comment #3)
> Is there any change if you change the system crypto policy to LEGACY?
> 
> update-crypto-policies --set LEGACY

no this doesn't help, but downgrading wpa_supplicant to version wpa_supplicant-2.6-4.el7 helped

> 
> Or even try to move the /etc/crypto-policies/back-ends/opensslcnf.config out
> of the way temporarily. As the file is read on application startup a restart
> of the system might be needed.

Comment 5 Tomas Mraz 2018-12-12 12:59:47 UTC
(In reply to Vladimir Benes from comment #4)
> (In reply to Tomas Mraz from comment #3)
> > Is there any change if you change the system crypto policy to LEGACY?
> > 
> > update-crypto-policies --set LEGACY
> 
> no this doesn't help, but downgrading wpa_supplicant to version
> wpa_supplicant-2.6-4.el7 helped

That one links to openssl-1.0.2 so that is not surprising that it helped.

https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog mentions that support for openssl-1.1.1 was added in version 2.7 of wpa_supplicant. So it will probably require fixing it there either by upgrade or backport of the changes needed.

Comment 6 Davide Caratti 2018-12-13 12:00:30 UTC
(In reply to Tomas Mraz from comment #5)
> (In reply to Vladimir Benes from comment #4)
> > (In reply to Tomas Mraz from comment #3)
> > > Is there any change if you change the system crypto policy to LEGACY?
> > > 
> > > update-crypto-policies --set LEGACY
> > 
> > no this doesn't help, but downgrading wpa_supplicant to version
> > wpa_supplicant-2.6-4.el7 helped
> 
> That one links to openssl-1.0.2 so that is not surprising that it helped.
> 
> https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog mentions that
> support for openssl-1.1.1 was added in version 2.7 of wpa_supplicant. So it
> will probably require fixing it there either by upgrade or backport of the
> changes needed.

the update of wpa_supplicant to version 2.7 is now tracked with bz1658804.
test rpm are available at https://copr.fedorainfracloud.org/coprs/dcaratti/wpa_supplicant/build/836854/

-- 
davide

Comment 7 Fedora Update System 2018-12-20 20:00:54 UTC
wpa_supplicant-2.7-1.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-cbc2352475

Comment 8 Fedora Update System 2018-12-22 02:58:08 UTC
wpa_supplicant-2.7-1.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-cbc2352475

Comment 9 Fedora Update System 2018-12-24 06:07:28 UTC
wpa_supplicant-2.7-1.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.