Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#78770 - [wpa_supplicant] openssl 3.1.1-1 breaks WPA Enterprise wireless connection

Attached to Project: Arch Linux
Opened by Pingplug Feng (pingplug) - Tuesday, 13 June 2023, 01:58 GMT
Last edited by Toolybird (Toolybird) - Tuesday, 13 June 2023, 21:52 GMT
Task Type Bug Report
Category Packages: Extra
Status Assigned
Assigned To Evangelos Foutras (foutrelis)
Morten Linderud (Foxboron)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 1
Private No

Details

Description:
can not connect to WPA Enterprise WiFi after updated to openssl 3.1.1-1, downgrade to 3.0.9-1 can fix this.
maybe wpa_supplicant should be recompiled.

Additional info:
openssl 3.1.1-1
wpa_supplicant 2:2.10-8
networkmanager 1.42.6-1

Steps to reproduce:
This task depends upon

Comment by loqs (loqs) - Tuesday, 13 June 2023, 02:01 GMT
More details in https://bbs.archlinux.org/viewtopic.php?id=286417
Comment by loqs (loqs) - Tuesday, 13 June 2023, 13:02 GMT
OpenSSL 3.1 banned SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above [1].
This breaks autodection of when to downgrade security level [2] as the connection has now already been rejected. Applying [3] has no effect the connection has still already been rejected.
wpa_suplicant does support explicitly allowing TLS1.1 and TLS1 [4] which was tested to work [5][6].

[1] https://github.com/openssl/openssl/commit/a8b6c9f83ce49b6192137c7600532441db885e19
[2] https://gitlab.archlinux.org/archlinux/packaging/packages/wpa_supplicant/-/blob/main/lower_security_level_for_tls_1.patch
[3] https://w1.fi/cgit/hostap/commit/?id=e9b4ad2364c68130c7618a88a171e29e0e15007e
[4] https://w1.fi/cgit/hostap/commit/?id=58bbcfa31b18eae42e3f3dc8fea716360d4bb67f
[5] https://bbs.archlinux.org/viewtopic.php?pid=2104698#p2104698
[6] https://bbs.archlinux.org/viewtopic.php?pid=2104709#p2104709
Comment by Toolybird (Toolybird) - Tuesday, 13 June 2023, 20:59 GMT
@loqs, thanks for the detailed research and links! IIUC this is not a bug in openssl and is in fact intended behavior. It seems more like a config issue in wpa_supplicant and should therefore be documented in the Wiki.

Is there anything for Arch to fix package-wise? Does anything need to be reported upstream?
Comment by loqs (loqs) - Tuesday, 13 June 2023, 21:16 GMT
I think upstream wpa_supplicant should be notified to see if lower_security_level_for_tls_1.patch which is upstream commit [1] bc99366f9b960150aa2e369048bbc2218c1d414e can be reworked to be compatible with OpenSSL 3.1.
The wpa_supplicant package could drop applying the patch as it no longer has any effect although leaving it is harmless. The wpa_supplicant_tls.patch is also made redundant as manually enabling TLS1.1 or TLS1 in wpa_supplicant's config sets the matching minimum protocol level along with the security level. Leaving it has no effect with OpenSSL now enforcing a TLS1.2 minimum by default.

[1] https://w1.fi/cgit/hostap/commit/?id=bc99366f9b960150aa2e369048bbc2218c1d414e
Comment by Toolybird (Toolybird) - Tuesday, 13 June 2023, 21:51 GMT
Thanks again @loqs. Ok, then someone who is motivated needs to report this to wpa_supplicant upstream. It's not an Arch packaging bug...but I will notify the wpa_supplicant PM's just in case.
Comment by Jan Alexander Steffens (heftig) - Tuesday, 13 June 2023, 23:13 GMT
Could you try https://pkgbuild.com/~heftig/FS%2378770/ ?

Loading...