Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#76474 - [wpa_supplicant] [networkmanager] won't connect to WPA2 Enterprise after update to openssl 3
Attached to Project:
Arch Linux
Opened by Nikolay Nechaev (kolay.ne) - Monday, 07 November 2022, 14:35 GMT
Last edited by Evangelos Foutras (foutrelis) - Wednesday, 09 November 2022, 15:02 GMT
Opened by Nikolay Nechaev (kolay.ne) - Monday, 07 November 2022, 14:35 GMT
Last edited by Evangelos Foutras (foutrelis) - Wednesday, 09 November 2022, 15:02 GMT
|
DetailsOn 2022.11.05 an update of openssl (version openssl-3.0.7-2) was released. Starting with that packages state, I am unable to connect to a network with WPA/WPA2 Enterprise security: the command
`nmcli d w c UniversityStudent` , after a long delay, terminates with the error "Connection activation failed: (7) Secrets were required, but not provided." If I switch to the mirror https://archive.archlinux.org/repos/2022/11/04/$repo/os/$arch, downgrade all packages with `pacman -Syyuu`, and reboot, everything works fine just like before the update. Another notable package that was updated that day is wpa_supplicant-2:2.10-5 -> wpa_supplicant-2:2.10-6. The corresponding /etc/NetworkManager/system-connections/UniversityStudent.nmconnection file is attached. 
UniversityStudent.nmconnection
(0.4 KiB)
|
This task depends upon
Closed by Evangelos Foutras (foutrelis)
Wednesday, 09 November 2022, 15:02 GMT
Reason for closing: Fixed
Additional comments about closing: wpa_supplicant 2:2.10-7
Wednesday, 09 November 2022, 15:02 GMT
Reason for closing: Fixed
Additional comments about closing: wpa_supplicant 2:2.10-7
I would suggest trying [1], the option was broken before 3.0.4 but should be working now in 3.0.7.
[1] https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834/comments/4
We should probably adopt the patch to wpa_supplicant proposed in the above comment. Fedora and Debian seem to apply it as well.
wpa_supplicant upstream has two relevant commits: https://w1.fi/cgit/hostap/log/?qt=grep&q=5746 -- I believe those would allow enabling unsafe renegotiation on a per connection basis, though I'm not sure if NetworkManager can pass custom options to wpa_supplicant. Might still be better to apply the immediate fix above and revert it once a more granular selection has been implemented in NetworkManager.
Edit:
NetworkManager did support the option then reverted support [2]
[1] https://bbs.archlinux.org/viewtopic.php?pid=2066306#p2066306
[2] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/3117198f157835506eb1819937b01d68c9e36038
Edit: Make sure that the new package is used by stopping wpa_supplicant.service if previously running.
[1] https://bbs.archlinux.org/viewtopic.php?pid=2066294#p2066294
[2] https://aur.archlinux.org/packages/wpa_supplicant-openssl1
Failure log for reference: https://gist.github.com/DragoonAethis/ee03d345d8d3dd42b12286455d9cf10b
https://pkgbuild.com/~foutrelis/wpa_supplicant-lower-security-level-for-tls-1/
It contains one more fix for OpenSSL 3.0. [1]
[1] https://w1.fi/cgit/hostap/commit/src/crypto/tls_openssl.c?id=bc99366f9b96
@Dragoon: Thanks for the log, it confirms that we're dealing with two different issues and that the previous fix works for one of them.