You are not logged in.
After upgrading to the newest openssl package, wpa_supplicant is no longer capable of 802.1x TLS authentication.
Downgrading OpenSSL to version 1.1.0.e-1 fixed the problem.
It looks like wpa_supplicant can't pass the private key passphrase to openssl anymore. Maybe the syntax changed?
wpa_supplicant[1419]: enp0s25: CTRL-EVENT-EAP-STARTED EAP authentication started
enp0s25: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
enp0s25: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
Enter PEM pass phrase:
OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
OpenSSL: tls_connection_private_key - Failed to load private key error:00000000:lib(0):func(0):reason(0)
TLS: Failed to load private key '/certs/private-key.pem'
TLS: Failed to set TLS connection parameters
As you can see, OpenSSL asks for the PEM pass phrase although wpa_supplicant provided this already.
This doesn't happen in the previous OpenSSL version.
Wanted to ask if anybody else experienced this behaviour before I report this as a bug.
Offline
I've noticed maybe a similar problem when trying to connect to an eduroam network. I've asked in hostap's mailing list and it turns out that for me the case where it works (with openssl 1.0) TLS is not even used, while with openssl 1.1 it is being (or trying ot be) used and it falls flat on its face. I've asked last week and that is as far as I got replies, no one else has chimed in since then.
I've tried modifying the pkgbuild so that wpa_supplicant and friends link against openssl 1.0 but somewhere along the way it fails, however it does work with a git version (more recent). I haven't spent much time yet trying to fix/workaround this but it's most probably worth submitting a bug in our bug tracker so that wpa_supplicant is linked against openssl 1.0 until more people complain upstream and things are fixed.
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
Wanted to ask if anybody else experienced this behaviour before I report this as a bug.
I started experiencing this as well, please report. Thanks!
Offline
It was reported yesterday: https://bugs.archlinux.org/task/54233
You could go upstream, though
Last edited by Scimmia (2017-05-31 17:34:58)
Offline
For me openssl 1.1 it breaks EAP-PEAP, the following patch does make wpa_supplicant link against openssl-1.0 but I will not have the chance to confirm it works until next Friday. From my previous tests it should work but I can't be sure until I actually test it.
--- a/PKGBUILD 2017-05-31 19:33:12.272463216 +0100
+++ b/PKGBUILD 2017-05-31 19:32:59.888988536 +0100
@@ -4,12 +4,12 @@
pkgname=wpa_supplicant
pkgver=2.6
-pkgrel=5
+pkgrel=6
epoch=1
pkgdesc="A utility providing key negotiation for WPA wireless networks"
url="http://hostap.epitest.fi/wpa_supplicant"
arch=('i686' 'x86_64')
-depends=('openssl' 'libdbus' 'readline' 'libnl')
+depends=('openssl-1.0' 'libdbus' 'readline' 'libnl')
optdepends=('wpa_supplicant_gui: wpa_gui program')
license=('GPL')
install=wpa_supplicant.install
@@ -30,6 +30,9 @@
# The Makefile does not pick up our CPPFLAGS
export CFLAGS="$CPPFLAGS $CFLAGS"
+ export CFLAGS="$CFLAGS -I/usr/include/openssl-1.0"
+ export LIBS="-L/usr/lib/openssl-1.0"
+ export LIBS_p="-L/usr/lib/openssl-1.0"
make LIBDIR=/usr/lib BINDIR=/usr/bin
make LIBDIR=/usr/lib BINDIR=/usr/bin eapol_test
}
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline