FS#34396 - [networkmanager] fails to set up WPA-EAP connection without a certificate

Attached to Project: Arch Linux
Opened by Timo Tomasini (kanocx) - Thursday, 21 March 2013, 13:35 GMT
Last edited by Jan de Groot (JGC) - Monday, 21 April 2014, 10:24 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Jan de Groot (JGC)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:
I tried to establish a new WPA-EAP connection with networkmanager 0.9.8.0-2, but the connection failed with the following messages:

Mar 21 14:14:29 localhost kernel: [ 284.375574] wlan0: authenticate with 00:de:ad:be:ef:42
Mar 21 14:14:29 localhost kernel: [ 284.384404] wlan0: capabilities/regulatory prevented using AP HT/VHT configuration, downgraded
Mar 21 14:14:29 localhost kernel: [ 284.385442] wlan0: send auth to 00:de:ad:be:ef:42 (try 1/3)
Mar 21 14:14:29 localhost NetworkManager[914]: <info> (wlan0): supplicant interface state: scanning -> authenticating
Mar 21 14:14:29 localhost kernel: [ 284.387369] wlan0: authenticated
Mar 21 14:14:29 localhost kernel: [ 284.390019] wlan0: associate with 00:de:ad:be:ef:42 (try 1/3)
Mar 21 14:14:29 localhost kernel: [ 284.392749] wlan0: RX AssocResp from 00:de:ad:be:ef:42 (capab=0x431 status=0 aid=10)
Mar 21 14:14:29 localhost NetworkManager[914]: <info> (wlan0): supplicant interface state: authenticating -> associating
Mar 21 14:14:29 localhost kernel: [ 284.395292] wlan0: associated
Mar 21 14:14:29 localhost NetworkManager[914]: <info> (wlan0): supplicant interface state: associating -> associated
Mar 21 14:14:29 localhost wpa_supplicant[1036]: Successfully initialized wpa_supplicant
Mar 21 14:14:29 localhost wpa_supplicant[1036]: wlan0: SME: Trying to authenticate with 00:de:ad:be:ef:42 (SSID='HAWHof' freq=2462 MHz)
Mar 21 14:14:29 localhost wpa_supplicant[1036]: wlan0: Trying to associate with 00:de:ad:be:ef:42 (SSID='HAWHof' freq=2462 MHz)
Mar 21 14:14:29 localhost wpa_supplicant[1036]: wlan0: Associated with 00:de:ad:be:ef:42
Mar 21 14:14:29 localhost wpa_supplicant[1036]: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
Mar 21 14:14:29 localhost wpa_supplicant[1036]: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Mar 21 14:14:29 localhost wpa_supplicant[1036]: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Mar 21 14:14:29 localhost wpa_supplicant[1036]: TLS: Certificate verification failed, error 20 (unable to get local issuer certificate) depth 0 for '/CN=ad11.hof-university.de'
Mar 21 14:14:29 localhost wpa_supplicant[1036]: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=0 subject='/CN=ad11.hof-university.de' err='unable to get local issuer certificate'
Mar 21 14:14:29 localhost wpa_supplicant[1036]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
Mar 21 14:14:29 localhost wpa_supplicant[1036]: OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mar 21 14:14:29 localhost wpa_supplicant[1036]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Mar 21 14:14:29 localhost wpa_supplicant[1036]: wlan0: Authentication with 00:de:ad:be:ef:42 timed out.
Mar 21 14:14:29 localhost wpa_supplicant[1036]: wlan0: CTRL-EVENT-DISCONNECTED bssid=00:de:ad:be:ef:42 reason=3 locally_generated=1
Mar 21 14:14:29 localhost wpa_supplicant[1036]: wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="HAWHof" auth_failures=1 duration=10

NetworkManager wrote the following config:

[ipv6]
method=link-local

[connection]
id=HAWHof
uuid=6e59a859-7cf1-43ed-b332-8d8b8c42c3d0
type=802-11-wireless

[802-11-wireless-security]
key-mgmt=wpa-eap

[802-11-wireless]
ssid=HAWHof
mode=infrastructure
mac-address=00:26:C7:35:78:E6
security=802-11-wireless-security

[802-1x]
eap=peap;
identity=ttomasini
anonymous-identity=ttomasini
phase2-auth=mschapv2
password-flags=1
system-ca-certs=true

[ipv4]
method=auto


When I changed system-ca-certs to false, it works like a charm.

Additional info:
* networkmanager 0.9.8.0-2
* config and log see above


Steps to reproduce:
* try to connect to an user authentification based WPA-EAP without certificates
This task depends upon

Closed by  Jan de Groot (JGC)
Monday, 21 April 2014, 10:24 GMT
Reason for closing:  Fixed
Additional comments about closing:  fixed in 0.9.8.9.
Comment by Timo Tomasini (kanocx) - Monday, 01 July 2013, 08:24 GMT
any news?
Comment by none given (hoban) - Friday, 27 September 2013, 15:05 GMT
The system-ca-certs=false workaround works for awhile, but if you make any edit to your profile, NM will again set system-ca-certs=true and re-introducing the issue.
Until a fix is released, we'll either have to remember to re-apply the workaround any time we edit the profile, or else make the access point config file read-only/immutable.
BTW, this is an upstream bug and affects e.g. Ubuntu 13.04/13.10 also.
Comment by Austin (doorknob60) - Wednesday, 16 October 2013, 07:32 GMT
I can confirm this bug. I first encountered it over a year ago, and just now figured out the issue and workaround. So many hour wasted on it... I hope for a fix sometime, although I realize it's likely an upstream issue.
Comment by Pritam Baral (pritambaral) - Friday, 18 October 2013, 13:36 GMT
Bumping, 'coz upstream has been submitted a patch that adds a togglable UI button.
Link for the lazy: https://bugzilla.gnome.org/show_bug.cgi?id=702608

Loading...