Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#668612: wpasupplicant: ssl bad certificate
11 views
Skip to first unread message
Luis Fernando Llana Díaz
Apr 13, 2012, 9:20:02 AM4/13/12
to
Package: wpasupplicant
Version: 0.7.3-6
Severity: normal
Dear Maintainer,
I have just installed Debian Wheezy. So far, the only important thing
that does not work is the Eduroam connection in my institution. It has
always worked in the previous versions. This is the configuration file
I have always used:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=1
network={
ssid="eduroam"
#proto=WPA
key_mgmt=WPA-EAP
pairwise=CCMP TKIP
group=CCMP TKIP
eap=TTLS
phase1="peaplabel=0"
phase2="auth=PAP"
identity="X...@sip.ucm.es"
anonymous_identity="anon...@ucm.es"
password="XXXXXX"
# ca_cert="/etc/cert/ca.pem"
priority=2
}
Let us note that the ca_cert entry is commented since it is not used in
my institution. This is the error I get when I try to connect:
Trying to associate with 00:1f:45:e4:e2:d1 (SSID=3D'eduroam' freq=3D5200
MH=
z)
Associated with 00:1f:45:e4:e2:d1
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=3D0 method=3D21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
SSL: SSL3 alert: read (remote end reported an error):fatal:bad
certificate
OpenSSL: openssl_handshake - SSL_connect error:14094412:SSL
routines:SSL3_R=
EAD_BYTES:sslv3 alert bad certificate
CTRL-EVENT-EAP-FAILURE EAP authentication failed
Authentication with 00:1f:45:e4:e2:d1 timed out.
=20=20
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (650, 'testing')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=3Des_ES.UTF-8, LC_CTYPE=3Des_ES.UTF-8 (charmap=3DUTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages wpasupplicant depends on:
ii adduser 3.113+nmu1
ii initscripts 2.88dsf-22.1
ii libc6 2.13-27
ii libdbus-1-3 1.5.12-1
ii libnl-3-200 3.2.7-2
ii libnl-genl-3-200 3.2.7-2
ii libpcsclite1 1.8.3-2
ii libreadline6 6.2-8
ii libssl1.0.0 1.0.1-4
ii lsb-base 4.1+Debian0
wpasupplicant recommends no packages.
Versions of packages wpasupplicant suggests:
pn libengine-pkcs11-openssl <none>
pn wpagui <none>
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Version: 0.7.3-6
Severity: normal
Dear Maintainer,
I have just installed Debian Wheezy. So far, the only important thing
that does not work is the Eduroam connection in my institution. It has
always worked in the previous versions. This is the configuration file
I have always used:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=1
network={
ssid="eduroam"
#proto=WPA
key_mgmt=WPA-EAP
pairwise=CCMP TKIP
group=CCMP TKIP
eap=TTLS
phase1="peaplabel=0"
phase2="auth=PAP"
identity="X...@sip.ucm.es"
anonymous_identity="anon...@ucm.es"
password="XXXXXX"
# ca_cert="/etc/cert/ca.pem"
priority=2
}
Let us note that the ca_cert entry is commented since it is not used in
my institution. This is the error I get when I try to connect:
Trying to associate with 00:1f:45:e4:e2:d1 (SSID=3D'eduroam' freq=3D5200
MH=
z)
Associated with 00:1f:45:e4:e2:d1
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=3D0 method=3D21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
SSL: SSL3 alert: read (remote end reported an error):fatal:bad
certificate
OpenSSL: openssl_handshake - SSL_connect error:14094412:SSL
routines:SSL3_R=
EAD_BYTES:sslv3 alert bad certificate
CTRL-EVENT-EAP-FAILURE EAP authentication failed
Authentication with 00:1f:45:e4:e2:d1 timed out.
=20=20
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (650, 'testing')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=3Des_ES.UTF-8, LC_CTYPE=3Des_ES.UTF-8 (charmap=3DUTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages wpasupplicant depends on:
ii adduser 3.113+nmu1
ii initscripts 2.88dsf-22.1
ii libc6 2.13-27
ii libdbus-1-3 1.5.12-1
ii libnl-3-200 3.2.7-2
ii libnl-genl-3-200 3.2.7-2
ii libpcsclite1 1.8.3-2
ii libreadline6 6.2-8
ii libssl1.0.0 1.0.1-4
ii lsb-base 4.1+Debian0
wpasupplicant recommends no packages.
Versions of packages wpasupplicant suggests:
pn libengine-pkcs11-openssl <none>
pn wpagui <none>
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Stefan Lippers-Hollmann
May 15, 2012, 5:10:01 PM5/15/12
to
Hi
On Tuesday 15 May 2012, Luis Fernando Llana Díaz wrote:
> Package: wpasupplicant
> Version: 0.7.3-6
> Severity: normal
>
> Dear Maintainer,
> I have just installed Debian Wheezy. So far, the only important thing
> that does not work is the Eduroam connection in my institution. It has
> always worked in the previous versions. This is the configuration file
> I have always used:
Please test wpasupplicant 1.0-2 from unstable (uploaded yesterday),
which should install on wheezy without problems or further
dependencies.
There seem to be longstanding problems with eduroam, unfortunately we
don't know if these are actually fixed in 1.0, if configuration changes
are required (client side), if there are 'just' wrongly encapsulated
certificates or documentations provided by your university or if these
problems can be attributed to wpasupplicant or kernel driver problems.
The big problem here is that we unfortunately can't set up an
equivalent server setup for testing, nor have access to the involved
wlans ourselves. So with all the potential problems around, there is
little support we can provide for these specific configurations,
especially because many universities make it pretty hard to extract the
required certificates from their windows packages.
Therefore we require your assistance to debug these issues and to find
hints for fixing this (and no, switching one bucket of problems using
OpenSSL with another, by using GNU TLS, is no solution either). With a
little luck, you may find advice from seasoned Linux using students,
maybe you know success stories from different distributions, where we
could check what they're doing differently. Eventually wpasupplicant
upstream also has a few ideas, who is pretty familiar with lots of
'weird' commercial setups.
The only roughly comparable wlan setup I have access to, uses this kind
of configuration:
network={
ssid="<whatever>"
key_mgmt=IEEE8021X
eap=TTLS
phase2="auth=PAP"
identity="<some_u...@looing.like.a.mail.address>
password="<something_secret>"
ca_cert="/path/to/a/real/cert.pem"
}
which does work fine, perhaps this may help you, although it doesn't
look too similar.
Regards
Stefan Lippers-Hollmann
On Tuesday 15 May 2012, Luis Fernando Llana Díaz wrote:
> Package: wpasupplicant
> Version: 0.7.3-6
> Severity: normal
>
> Dear Maintainer,
> I have just installed Debian Wheezy. So far, the only important thing
> that does not work is the Eduroam connection in my institution. It has
> always worked in the previous versions. This is the configuration file
> I have always used:
which should install on wheezy without problems or further
dependencies.
There seem to be longstanding problems with eduroam, unfortunately we
don't know if these are actually fixed in 1.0, if configuration changes
are required (client side), if there are 'just' wrongly encapsulated
certificates or documentations provided by your university or if these
problems can be attributed to wpasupplicant or kernel driver problems.
The big problem here is that we unfortunately can't set up an
equivalent server setup for testing, nor have access to the involved
wlans ourselves. So with all the potential problems around, there is
little support we can provide for these specific configurations,
especially because many universities make it pretty hard to extract the
required certificates from their windows packages.
Therefore we require your assistance to debug these issues and to find
hints for fixing this (and no, switching one bucket of problems using
OpenSSL with another, by using GNU TLS, is no solution either). With a
little luck, you may find advice from seasoned Linux using students,
maybe you know success stories from different distributions, where we
could check what they're doing differently. Eventually wpasupplicant
upstream also has a few ideas, who is pretty familiar with lots of
'weird' commercial setups.
The only roughly comparable wlan setup I have access to, uses this kind
of configuration:
network={
ssid="<whatever>"
key_mgmt=IEEE8021X
eap=TTLS
phase2="auth=PAP"
identity="<some_u...@looing.like.a.mail.address>
password="<something_secret>"
ca_cert="/path/to/a/real/cert.pem"
}
which does work fine, perhaps this may help you, although it doesn't
look too similar.
Regards
Stefan Lippers-Hollmann
Luis Llana
May 16, 2012, 7:40:01 AM5/16/12
to
Hello,
I have downloaded wpasupplicant (1.0-2) from unstable and it works. The version from squeeze still works. It cannot be installed in wheezy but I have extracted in a custom directory and it works:
root@portHP:/tmp# /home/luis/kimba/cvs/config/wpa_supplicant -Dwext -iwlan0 -c /home/luis/kimba/cvs/config/wpa_eduroam.conf
Trying to associate with 00:1f:45:e4:e2:d1 (SSID='eduroam' freq=5200 MHz)
Associated with 00:1f:45:e4:e2:d1
CTRL-EVENT-EAP-STARTED EAP authentication started
WPA: Key negotiation completed with 00:1f:45:e4:e2:d1 [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:1f:45:e4:e2:d1 completed (auth) [id=0 id_str=]
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
RSN: pre-authentication with 00:1f:45:e4:e2:d9 completed successfully
I can do more tests if you want.
Luis
I have downloaded wpasupplicant (1.0-2) from unstable and it works. The version from squeeze still works. It cannot be installed in wheezy but I have extracted in a custom directory and it works:
root@portHP:/tmp# /home/luis/kimba/cvs/config/wpa_supplicant -Dwext -iwlan0 -c /home/luis/kimba/cvs/config/wpa_eduroam.conf
Trying to associate with 00:1f:45:e4:e2:d1 (SSID='eduroam' freq=5200 MHz)
Associated with 00:1f:45:e4:e2:d1
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfullyWPA: Key negotiation completed with 00:1f:45:e4:e2:d1 [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:1f:45:e4:e2:d1 completed (auth) [id=0 id_str=]
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
RSN: pre-authentication with 00:1f:45:e4:e2:d9 completed successfully
I can do more tests if you want.
Luis
Stefan Lippers-Hollmann
May 22, 2012, 8:00:01 PM5/22/12
to
reopen 668612
forcemerge 668612 561081 579297
tags 668612 + help
thanks
Hi
On Wednesday 23 May 2012, Luis Fernando Llana Díaz wrote:
> Hi Stefan,
> I am sorry, today I am a bit sick..... what I wrote is wrong
> What I meant to say is that it worked with the old version that I
> downloaded from squeeze. But it does NOT work with the version from
> unstable. I am sorry for the mistake. I can help you debugging this
> problem because I am really interested in making this work. I have tried
> with nl80211, but it neither works.
Like I mentioned in my previous mail, the best option would be to find
a system using wpasupplicant >= 0.7.x that is working, ideally Fedora,
OpenSuSE, eventually Mandriva/ Mageia - Ubuntu is most likely too
similar to Debian. Ideally we could also test to build wpa 1.0 against
libssl-dev 0.9.8 XOR gnutls and to rebuild wpasupplicant 0.6.10 against
libssl 1.0.0, but there are a couple of changes which make this
relatively difficult.
We also can't rule out misconfiguration yet, because I don't see other
contemporary distros packaging wpasupplicant significantly different…
Given these bugreports and assuming that other distros are using
comparable versions of wpasupplicant and openssl, I find it hard t
believe that it's broken for everyone using (contemporary) linux and
eduroam.
Given that no one of us has access to eduroam installs ourselves, nor
have enough information to recreate an eduroam test environment, we
have very limited options to debug this particular issue.
wpa_supplicant upstream might have more experience to debug this
problem with you, but the imho the first attempt should be to find
other linux users at your institution who might have some advice about
configuration problems.
Regards
Stefan Lippers-Hollmann
forcemerge 668612 561081 579297
tags 668612 + help
thanks
Hi
On Wednesday 23 May 2012, Luis Fernando Llana Díaz wrote:
> Hi Stefan,
> I am sorry, today I am a bit sick..... what I wrote is wrong
> What I meant to say is that it worked with the old version that I
> downloaded from squeeze. But it does NOT work with the version from
> unstable. I am sorry for the mistake. I can help you debugging this
> problem because I am really interested in making this work. I have tried
> with nl80211, but it neither works.
Like I mentioned in my previous mail, the best option would be to find
a system using wpasupplicant >= 0.7.x that is working, ideally Fedora,
OpenSuSE, eventually Mandriva/ Mageia - Ubuntu is most likely too
similar to Debian. Ideally we could also test to build wpa 1.0 against
libssl-dev 0.9.8 XOR gnutls and to rebuild wpasupplicant 0.6.10 against
libssl 1.0.0, but there are a couple of changes which make this
relatively difficult.
We also can't rule out misconfiguration yet, because I don't see other
contemporary distros packaging wpasupplicant significantly different…
Given these bugreports and assuming that other distros are using
comparable versions of wpasupplicant and openssl, I find it hard t
believe that it's broken for everyone using (contemporary) linux and
eduroam.
Given that no one of us has access to eduroam installs ourselves, nor
have enough information to recreate an eduroam test environment, we
have very limited options to debug this particular issue.
wpa_supplicant upstream might have more experience to debug this
problem with you, but the imho the first attempt should be to find
other linux users at your institution who might have some advice about
configuration problems.
Regards
Stefan Lippers-Hollmann
Stefan Lippers-Hollmann
May 22, 2012, 8:10:01 PM5/22/12
to
Hi
On Wednesday 23 May 2012, Stefan Lippers-Hollmann wrote:
[…]
What might also be worth testing, if it installs without further
problems, would be wpasupplicant 0.7.3-1[1], which was the last version
built against openssl 0.9.8 (like wpasupplicant 0.6.10 was). Getting to
know if this makes a difference might help a lot, although I don't see
an immediate fix for that either.
Regards
Stefan Lippers-Hollmann
[1] http://snapshot.debian.org/package/wpasupplicant/0.7.3-1/
On Wednesday 23 May 2012, Stefan Lippers-Hollmann wrote:
[…]
problems, would be wpasupplicant 0.7.3-1[1], which was the last version
built against openssl 0.9.8 (like wpasupplicant 0.6.10 was). Getting to
know if this makes a difference might help a lot, although I don't see
an immediate fix for that either.
Regards
Stefan Lippers-Hollmann
[1] http://snapshot.debian.org/package/wpasupplicant/0.7.3-1/
Luis Fernando Llana Díaz
May 24, 2012, 1:40:02 PM5/24/12
to
Hello,
I have tried installing the ubuntu versions. I could not install any
version directly. But I have extracted the version from natty
wpasupplicant_0.7.3-0ubuntu1_i386.deb in a custom directory and it
works:
# /opt/wpa/wpa_supplicant/sbin/wpa_supplicant -Dnl80211 -iwlan0
-c /home/luis/kimba/cvs/config/wpa_eduroam.conf
Trying to authenticate with 00:1f:45:e4:e1:69 (SSID='eduroam' freq=2432
MHz)
Trying to associate with 00:1f:45:e4:e1:69 (SSID='eduroam' freq=2432
MHz)
Associated with 00:1f:45:e4:e1:69
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware'
CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/ST=UT/L=Salt Lake
City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware'
CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=NL/O=TERENA/CN=TERENA SSL
CA'
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=ES/O=Universidad
Complutense de Madrid/CN=sbr.ucm.es'
GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:1f:45:e4:e1:69 completed (auth)
[id=0 id_str=]
Luis.
El mié, 23-05-2012 a las 01:56 +0200, Stefan Lippers-Hollmann escribió:
I have tried installing the ubuntu versions. I could not install any
version directly. But I have extracted the version from natty
wpasupplicant_0.7.3-0ubuntu1_i386.deb in a custom directory and it
works:
# /opt/wpa/wpa_supplicant/sbin/wpa_supplicant -Dnl80211 -iwlan0
-c /home/luis/kimba/cvs/config/wpa_eduroam.conf
Trying to authenticate with 00:1f:45:e4:e1:69 (SSID='eduroam' freq=2432
MHz)
Trying to associate with 00:1f:45:e4:e1:69 (SSID='eduroam' freq=2432
MHz)
Associated with 00:1f:45:e4:e1:69
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/ST=UT/L=Salt Lake
City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware'
CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/ST=UT/L=Salt Lake
City/O=The USERTRUST
Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware'
CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=NL/O=TERENA/CN=TERENA SSL
CA'
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=ES/O=Universidad
Complutense de Madrid/CN=sbr.ucm.es'
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
WPA: Key negotiation completed with 00:1f:45:e4:e1:69 [PTK=CCMP
GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:1f:45:e4:e1:69 completed (auth)
[id=0 id_str=]
Luis.
El mié, 23-05-2012 a las 01:56 +0200, Stefan Lippers-Hollmann escribió:
> reopen 668612
> forcemerge 668612 561081 579297
> tags 668612 + help
> thanks
>
> Hi
>
> forcemerge 668612 561081 579297
> tags 668612 + help
> thanks
>
> Hi
>
> On Wednesday 23 May 2012, Luis Fernando Llana DÃaz wrote:
> > Hi Stefan,
> > I am sorry, today I am a bit sick..... what I wrote is wrong
> > What I meant to say is that it worked with the old version that I
> > downloaded from squeeze. But it does NOT work with the version from
> > unstable. I am sorry for the mistake. I can help you debugging this
> > problem because I am really interested in making this work. I have tried
> > with nl80211, but it neither works.
>
> Like I mentioned in my previous mail, the best option would be to find
> a system using wpasupplicant >= 0.7.x that is working, ideally Fedora,
> OpenSuSE, eventually Mandriva/ Mageia - Ubuntu is most likely too
> similar to Debian. Ideally we could also test to build wpa 1.0 against
> libssl-dev 0.9.8 XOR gnutls and to rebuild wpasupplicant 0.6.10 against
> libssl 1.0.0, but there are a couple of changes which make this
> relatively difficult.
>
> We also can't rule out misconfiguration yet, because I don't see other
> contemporary distros packaging wpasupplicant significantly different…
> > Hi Stefan,
> > I am sorry, today I am a bit sick..... what I wrote is wrong
> > What I meant to say is that it worked with the old version that I
> > downloaded from squeeze. But it does NOT work with the version from
> > unstable. I am sorry for the mistake. I can help you debugging this
> > problem because I am really interested in making this work. I have tried
> > with nl80211, but it neither works.
>
> Like I mentioned in my previous mail, the best option would be to find
> a system using wpasupplicant >= 0.7.x that is working, ideally Fedora,
> OpenSuSE, eventually Mandriva/ Mageia - Ubuntu is most likely too
> similar to Debian. Ideally we could also test to build wpa 1.0 against
> libssl-dev 0.9.8 XOR gnutls and to rebuild wpasupplicant 0.6.10 against
> libssl 1.0.0, but there are a couple of changes which make this
> relatively difficult.
>
> We also can't rule out misconfiguration yet, because I don't see other
> Given these bugreports and assuming that other distros are using
> comparable versions of wpasupplicant and openssl, I find it hard t
> believe that it's broken for everyone using (contemporary) linux and
> eduroam.
>
> Given that no one of us has access to eduroam installs ourselves, nor
> have enough information to recreate an eduroam test environment, we
> have very limited options to debug this particular issue.
> wpa_supplicant upstream might have more experience to debug this
> problem with you, but the imho the first attempt should be to find
> other linux users at your institution who might have some advice about
> configuration problems.
>
> Regards
> Stefan Lippers-Hollmann
> comparable versions of wpasupplicant and openssl, I find it hard t
> believe that it's broken for everyone using (contemporary) linux and
> eduroam.
>
> Given that no one of us has access to eduroam installs ourselves, nor
> have enough information to recreate an eduroam test environment, we
> have very limited options to debug this particular issue.
> wpa_supplicant upstream might have more experience to debug this
> problem with you, but the imho the first attempt should be to find
> other linux users at your institution who might have some advice about
> configuration problems.
>
> Regards
> Stefan Lippers-Hollmann
0 new messages