FS#78770 - [wpa_supplicant] openssl 3.1.1-1 breaks WPA Enterprise wireless connection
Attached to Project:
Arch Linux
Opened by Pingplug Feng (pingplug) - Tuesday, 13 June 2023, 01:58 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:18 GMT
Opened by Pingplug Feng (pingplug) - Tuesday, 13 June 2023, 01:58 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:18 GMT
|
Details
Description:
can not connect to WPA Enterprise WiFi after updated to openssl 3.1.1-1, downgrade to 3.0.9-1 can fix this. maybe wpa_supplicant should be recompiled. Additional info: openssl 3.1.1-1 wpa_supplicant 2:2.10-8 networkmanager 1.42.6-1 Steps to reproduce: |
This task depends upon
Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:18 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/wpa_supplicant/issues/ 2
Saturday, 25 November 2023, 20:18 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/wpa_supplicant/issues/ 2
This breaks autodection of when to downgrade security level [2] as the connection has now already been rejected. Applying [3] has no effect the connection has still already been rejected.
wpa_suplicant does support explicitly allowing TLS1.1 and TLS1 [4] which was tested to work [5][6].
[1] https://github.com/openssl/openssl/commit/a8b6c9f83ce49b6192137c7600532441db885e19
[2] https://gitlab.archlinux.org/archlinux/packaging/packages/wpa_supplicant/-/blob/main/lower_security_level_for_tls_1.patch
[3] https://w1.fi/cgit/hostap/commit/?id=e9b4ad2364c68130c7618a88a171e29e0e15007e
[4] https://w1.fi/cgit/hostap/commit/?id=58bbcfa31b18eae42e3f3dc8fea716360d4bb67f
[5] https://bbs.archlinux.org/viewtopic.php?pid=2104698#p2104698
[6] https://bbs.archlinux.org/viewtopic.php?pid=2104709#p2104709
Is there anything for Arch to fix package-wise? Does anything need to be reported upstream?
The wpa_supplicant package could drop applying the patch as it no longer has any effect although leaving it is harmless. The wpa_supplicant_tls.patch is also made redundant as manually enabling TLS1.1 or TLS1 in wpa_supplicant's config sets the matching minimum protocol level along with the security level. Leaving it has no effect with OpenSSL now enforcing a TLS1.2 minimum by default.
[1] https://w1.fi/cgit/hostap/commit/?id=bc99366f9b960150aa2e369048bbc2218c1d414e
```
$ sudo wpa_supplicant -P /run/wpa_supplicant-wlan0.pid -i wlan0 -D nl80211,wext -c/tmp/test.conf
Successfully initialized wpa_supplicant
wlan0: SME: Trying to authenticate with 00:12:43:8a:e5:21 (SSID='INFN-dot1x' freq=2447 MHz)
wlan0: Trying to associate with 00:12:43:8a:e5:21 (SSID='INFN-dot1x' freq=2447 MHz)
wlan0: Associated with 00:12:43:8a:e5:21
wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
wlan0: CTRL-EVENT-DISCONNECTED bssid=00:12:43:8a:e5:21 reason=23
wlan0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="INFN-dot1x" auth_failures=1 duration=10 reason=AUTH_FAILED
wlan0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
```
I badly need a workaround since I use WPA Enterprise at work. Can anybody help with this?