You are not logged in.

#1 2023-06-11 13:36:39

StephenRamos
Member
Registered: 2023-06-11
Posts: 9

[SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Hi,

After updating my Arch laptop yesterday OpenSSL 3.1.1 breaks WPA2 Enterprise Wifi Auth for me. (Downgrading OpenSSL fixes the issue, so I know for sure the issue is caused by OpenSSL)

Regulat WPA2 authentication works just fine.

This is what I use to connect on Networkmanager:

/etc/NetworkManager/system-connections/securewifi.nmconnection

[connection]
id=SECUREWIFI
uuid=4f5e70c9-6d6e-4a6d-8377-85d9483d46eb
type=wifi
timestamp=1654797796

[wifi]
mode=infrastructure
ssid=SECUREWIFI_LND

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
eap=peap;
identity=username
password=<password>
phase2-auth=mschapv2

[ipv4]
dns-search=domain.org;
method=auto

[ipv6]
addr-gen-mode=stable-privacy
method=disabled

[proxy]

This is what I see on the journal logs when I try to connect and it fails:

Jun 11 14:24:08 laptop.domain.org wpa_supplicant[3320]: wlp3s0: SME: Trying to authenticate with 90:6c:ac:4e:13:aa (SSID='SECUREWIFI_LND' freq=5500 MHz)
Jun 11 14:24:08 laptop.domain.org wpa_supplicant[3320]: wlp3s0: Trying to associate with 90:6c:ac:4e:13:aa (SSID='SECUREWIFI_LND' freq=5500 MHz)
Jun 11 14:24:08 laptop.domain.org wpa_supplicant[3320]: wlp3s0: Associated with 90:6c:ac:4e:13:aa
Jun 11 14:24:08 laptop.domain.org wpa_supplicant[3320]: wlp3s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jun 11 14:24:11 laptop.domain.org wpa_supplicant[3320]: wlp3s0: CTRL-EVENT-EAP-STARTED EAP authentication started
Jun 11 14:24:11 laptop.domain.org wpa_supplicant[3320]: wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 -> NAK
Jun 11 14:24:11 laptop.domain.org wpa_supplicant[3320]: wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Jun 11 14:24:11 laptop.domain.org wpa_supplicant[3320]: wlp3s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jun 11 14:24:11 laptop.domain.org wpa_supplicant[3320]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
Jun 11 14:24:11 laptop.domain.org wpa_supplicant[3320]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
Jun 11 14:24:11 laptop.domain.org wpa_supplicant[3320]: wlp3s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Jun 11 14:24:11 laptop.domain.org wpa_supplicant[3320]: wlp3s0: CTRL-EVENT-DISCONNECTED bssid=90:6c:ac:4e:13:aa reason=23
Jun 11 14:24:11 laptop.domain.org wpa_supplicant[3320]: wlp3s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="SECUREWIFI_LND" auth_failures=1 duration=10 reason=AUTH_FAILED
Jun 11 14:24:11 laptop.domain.org wpa_supplicant[3320]: BSSID 90:6c:ac:4e:13:aa ignore list count incremented to 2, ignoring for 10 seconds
Jun 11 14:24:11 laptop.domain.org wpa_supplicant[3320]: wlp3s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="SECUREWIFI_LND" auth_failures=2 duration=22 reason=CONN_FAILED
Jun 11 14:24:11 laptop.domain.org wpa_supplicant[3320]: wlp3s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD

As the OpenSSL error is "Unsupported Protocol" I tried this on the /etc/ssl/openssl.cnf file:

openssl_conf = old_support_conf

[old_support_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=1
Options = UnsafeLegacyServerConnect

Unfortunately it doesn't work and I'm running out of ideas, I can downgrade OpenSSL but then I have to downgrade other packages too.

Nothing I have been able to find online makes any difference, anyone has any idea what else can I try?

Last edited by StephenRamos (2023-06-11 21:21:36)

Offline

#2 2023-06-11 14:57:42

seth
Member
Registered: 2012-09-03
Posts: 59,718

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

3.0.9 to 3.1.1?
This used to be an issue when changing to 3.x, but the 3.1 changelog doesn't yell further restrictions.

The MinProtocol value is formally "illegal", no idea whether it's silently accepted: https://man.archlinux.org/man/SSL_CONF_ … n_protocol
Did you restart wpa_supplicant/NM after the changes?

Offline

#3 2023-06-11 16:33:51

StephenRamos
Member
Registered: 2023-06-11
Posts: 9

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

seth wrote:

3.0.9 to 3.1.1?
This used to be an issue when changing to 3.x, but the 3.1 changelog doesn't yell further restrictions.

The MinProtocol value is formally "illegal", no idea whether it's silently accepted: https://man.archlinux.org/man/SSL_CONF_ … n_protocol
Did you restart wpa_supplicant/NM after the changes?

Yes the issue started yesterday with the upgrade from 3.0.9 to 3.1.1

[2023-06-11T11:08:32+0100] [ALPM] upgraded openssl (3.0.9-1 -> 3.1.1-1)

Yes, I'm restarting wpa_supplicant and NM, I've even restarted just in case a couple of times, no luck, the only thing that works is downgrading OpenSSL back to 3.0.9

What do you mean with:

The MinProtocol value is formally "illegal",

I can't find any reference anywhere that says it can't be used...

Offline

#4 2023-06-11 16:37:08

seth
Member
Registered: 2012-09-03
Posts: 59,718

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

The linked manpsage lists the proper values, you might also try "None"

Offline

#5 2023-06-11 18:24:07

loqs
Member
Registered: 2014-03-06
Posts: 18,123

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

https://github.com/openssl/openssl/blob … .1/NEWS.md

You might also try the following if setting a valid MinProtocol does not help

CipherString = DEFAULT:@SECLEVEL=0

Which should allow anything.

Offline

#6 2023-06-11 18:30:40

seth
Member
Registered: 2012-09-03
Posts: 59,718

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Offline

#7 2023-06-11 18:35:59

StephenRamos
Member
Registered: 2023-06-11
Posts: 9

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

seth wrote:

The linked manpsage lists the proper values, you might also try "None"

I'm confused, excuse me if I'm being thick, but I thought that when you edit the /etc/ssl/openssl.cnf  file you need to use the settings in the section:

https://man.archlinux.org/man/SSL_CONF_ … E_COMMANDS

The section of the manpage you liked to is the command-line switches AFAIK.

Using "None" eliminates the "Fatal:Protocol Version" error, however it doesn't allow me to connect to the WAP2 Enterprise SSID, it still fails AUTH, also makes negotiating a regular WAP2 SSID take forever.

Offline

#8 2023-06-11 18:38:59

seth
Member
Registered: 2012-09-03
Posts: 59,718

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

seth's link wrote:

-min_protocol minprot, -max_protocol maxprot
Sets the minimum and maximum supported protocol. Currently supported protocol values are SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 for TLS; DTLSv1, DTLSv1.2 for DTLS, and None for no limit. If either the lower or upper bound is not specified then only the other bound applies, if specified. If your application supports both TLS and DTLS you can specify any of these options twice, once with a bound for TLS and again with an appropriate bound for DTLS. To restrict the supported protocol versions use these commands rather than the deprecated alternative commands below.

Then see #5

Edit:

your link wrote:

MinProtocol
This sets the minimum supported SSL, TLS or DTLS version.
Currently supported protocol values are SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1 and DTLSv1.2. The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds apply only to DTLS-based contexts. The command can be repeated with one instance setting a TLS bound, and the other setting a DTLS bound. The value None applies to both types of contexts and disables the limits.

Last edited by seth (2023-06-11 18:40:57)

Offline

#9 2023-06-11 18:44:37

StephenRamos
Member
Registered: 2023-06-11
Posts: 9

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

loqs wrote:

https://github.com/openssl/openssl/blob … .1/NEWS.md

You might also try the following if setting a valid MinProtocol does not help

CipherString = DEFAULT:@SECLEVEL=0

Which should allow anything.

Just tried that... still same results:

Jun 11 19:41:38 laptop.domain.org wpa_supplicant[11101]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
Jun 11 19:41:38 laptop.domain.org wpa_supplicant[11101]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
Jun 11 19:41:38 laptop.domain.org wpa_supplicant[11101]: wlp3s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed

Offline

#10 2023-06-11 18:46:33

seth
Member
Registered: 2012-09-03
Posts: 59,718

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Using "None" eliminates the "Fatal:Protocol Version" error, however

Jun 11 19:41:38 laptop.domain.org wpa_supplicant[11101]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version

You'll likely have to do both and I suspect that the "fatal protocol" error is openssl's way to tell you that "TLSv1.0" isn't a supported protocol…

Offline

#11 2023-06-11 18:49:51

StephenRamos
Member
Registered: 2023-06-11
Posts: 9

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

seth wrote:
seth's link wrote:

-min_protocol minprot, -max_protocol maxprot
Sets the minimum and maximum supported protocol. Currently supported protocol values are SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 for TLS; DTLSv1, DTLSv1.2 for DTLS, and None for no limit. If either the lower or upper bound is not specified then only the other bound applies, if specified. If your application supports both TLS and DTLS you can specify any of these options twice, once with a bound for TLS and again with an appropriate bound for DTLS. To restrict the supported protocol versions use these commands rather than the deprecated alternative commands below.

Then see #5

Edit:

your link wrote:

MinProtocol
This sets the minimum supported SSL, TLS or DTLS version.
Currently supported protocol values are SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1 and DTLSv1.2. The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds apply only to DTLS-based contexts. The command can be repeated with one instance setting a TLS bound, and the other setting a DTLS bound. The value None applies to both types of contexts and disables the limits.

Ah you meant that I used TLSv1.0 rather than TLSv1!, sorry, I knew I was being thick (and blind too)

Tried with TLSv1 too, no change it doesn't work. :-(

Only downgrading fixes the issue.

Could be some issue with wpa_supplicant, from what I could find online in the past wpa_supplicant required some patching after changes in openssl.

I guess this is a case of waiting to see if anybody else is affected.

I have no idea how to debug this.

Offline

#12 2023-06-11 18:57:05

seth
Member
Registered: 2012-09-03
Posts: 59,718

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Does TLSv1 make the "Fatal:Protocol Version" error go away?
What's the log w/ that and "CipherString = DEFAULT:@SECLEVEL=0"?

Offline

#13 2023-06-11 18:58:19

StephenRamos
Member
Registered: 2023-06-11
Posts: 9

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

seth wrote:

Using "None" eliminates the "Fatal:Protocol Version" error, however

Jun 11 19:41:38 laptop.domain.org wpa_supplicant[11101]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version

You'll likely have to do both and I suspect that the "fatal protocol" error is openssl's way to tell you that "TLSv1.0" isn't a supported protocol…

The fatal protocol version happens too if I use the default configuration, it disappears if I use "None" on the MinProtocol but wpa_supplicant still complains of not being able to authenticate and "fatal:protocol version" error returns if I use "MaxProtocol=None" along with "MinProtocol=None".

Nothing works other than downgrading to 3.0.9 :-/

Last edited by StephenRamos (2023-06-11 18:58:48)

Offline

#14 2023-06-11 19:00:14

loqs
Member
Registered: 2014-03-06
Posts: 18,123

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Do you know what CipherSpec the connection uses?
What is the full contents of /etc/ssl/openssl.cnf as it is now?

Offline

#15 2023-06-11 19:02:41

seth
Member
Registered: 2012-09-03
Posts: 59,718

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Please don't paraphrase, https://bbs.archlinux.org/viewtopic.php?id=57855

openssl_conf = old_support_conf

[old_support_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = None
CipherString = DEFAULT@SECLEVEL=0
Options = UnsafeLegacyServerConnect

Post the actual journal output produced w/ this config.

Offline

#16 2023-06-11 19:10:09

loqs
Member
Registered: 2014-03-06
Posts: 18,123

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Could also try reverting https://github.com/openssl/openssl/comm … a7171e9820 or build with OPENSSL_TLS_SECURITY_LEVEL=0 https://github.com/openssl/openssl/issues/20837

Offline

#17 2023-06-11 19:23:30

StephenRamos
Member
Registered: 2023-06-11
Posts: 9

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

I have been told by other users using the same wifi station that while I'm doing tests their connection degrades...

I will try to have a look at the wifi controller to see what can I spot.

Do you know what CipherSpec the connection uses?

No idea, maybe I can find out in the logs of the wifi controller.

What is the full contents of /etc/ssl/openssl.cnf as it is now?

openssl_conf = old_support_conf

[old_support_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = None
CipherString = DEFAULT@SECLEVEL=0
Options = UnsafeLegacyServerConnect

Post the actual journal output produced w/ this config.

If i try exactly that configuration this is what I get in the journal:

Jun 11 20:03:19 laptop.domain.org wpa_supplicant[11732]: wlp3s0: CTRL-EVENT-DISCONNECTED bssid=a2:6c:ac:4e:13:aa reason=3 locally_generated=1
Jun 11 20:03:19 laptop.domain.org wpa_supplicant[11732]: wlp3s0: CTRL-EVENT-DSCP-POLICY clear_all
Jun 11 20:03:19 laptop.domain.org wpa_supplicant[11732]: wlp3s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
Jun 11 20:03:21 laptop.domain.org wpa_supplicant[11732]: wlp3s0: SME: Trying to authenticate with 90:6c:ac:4e:13:aa (SSID='SAFEWIFI_LDN' freq=5500 MHz)
Jun 11 20:03:21 laptop.domain.org wpa_supplicant[11732]: wlp3s0: Trying to associate with 90:6c:ac:4e:13:aa (SSID='SAFEWIFI_LDN' freq=5500 MHz)
Jun 11 20:03:21 laptop.domain.org wpa_supplicant[11732]: BSSID 90:6c:ac:4e:13:aa ignore list count incremented to 2, ignoring for 10 seconds
Jun 11 20:03:21 laptop.domain.org wpa_supplicant[11732]: wlp3s0: SME: Trying to authenticate with 90:6c:ac:4e:13:a2 (SSID='SAFEWIFI_LDN' freq=2412 MHz)
Jun 11 20:03:21 laptop.domain.org wpa_supplicant[11732]: wlp3s0: Trying to associate with 90:6c:ac:4e:13:a2 (SSID='SAFEWIFI_LDN' freq=2412 MHz)
Jun 11 20:03:25 laptop.domain.org wpa_supplicant[11732]: wlp3s0: SME: Trying to authenticate with 90:6c:ac:4e:13:aa (SSID='SAFEWIFI_LDN' freq=5500 MHz)
Jun 11 20:03:25 laptop.domain.org wpa_supplicant[11732]: wlp3s0: Trying to associate with 90:6c:ac:4e:13:aa (SSID='SAFEWIFI_LDN' freq=5500 MHz)
Jun 11 20:03:26 laptop.domain.org wpa_supplicant[11732]: wlp3s0: Associated with 90:6c:ac:4e:13:aa
Jun 11 20:03:26 laptop.domain.org wpa_supplicant[11732]: wlp3s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jun 11 20:03:30 laptop.domain.org wpa_supplicant[11732]: wlp3s0: CTRL-EVENT-EAP-STARTED EAP authentication started
Jun 11 20:03:31 laptop.domain.org wpa_supplicant[11732]: wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 -> NAK
Jun 11 20:03:31 laptop.domain.org wpa_supplicant[11732]: wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Jun 11 20:03:31 laptop.domain.org wpa_supplicant[11732]: wlp3s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jun 11 20:03:43 laptop.domain.org wpa_supplicant[11732]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
Jun 11 20:03:43 laptop.domain.org wpa_supplicant[11732]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
Jun 11 20:03:43 laptop.domain.org wpa_supplicant[11732]: wlp3s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Jun 11 20:03:43 laptop.domain.org wpa_supplicant[11732]: wlp3s0: CTRL-EVENT-DISCONNECTED bssid=90:6c:ac:4e:13:aa reason=23
Jun 11 20:03:43 laptop.domain.org wpa_supplicant[11732]: wlp3s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="SAFEWIFI_LDN" auth_failures=1 duration=10 reason=AUTH_FAILED
Jun 11 20:03:43 laptop.domain.org wpa_supplicant[11732]: BSSID 90:6c:ac:4e:13:aa ignore list count incremented to 2, ignoring for 10 seconds
Jun 11 20:03:43 laptop.domain.org wpa_supplicant[11732]: wlp3s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
Jun 11 20:03:46 laptop.domain.org wpa_supplicant[11732]: wlp3s0: SME: Trying to authenticate with 90:6c:ac:4e:13:aa (SSID='SAFEWIFI_LDN' freq=5500 MHz)
Jun 11 20:03:46 laptop.domain.org wpa_supplicant[11732]: wlp3s0: Trying to associate with 90:6c:ac:4e:13:aa (SSID='SAFEWIFI_LDN' freq=5500 MHz)
Jun 11 20:03:46 laptop.domain.org wpa_supplicant[11732]: wlp3s0: Associated with 90:6c:ac:4e:13:aa
Jun 11 20:03:46 laptop.domain.org wpa_supplicant[11732]: wlp3s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jun 11 20:03:48 laptop.domain.org wpa_supplicant[11732]: wlp3s0: CTRL-EVENT-DISCONNECTED bssid=90:6c:ac:4e:13:aa reason=6
Jun 11 20:03:48 laptop.domain.org wpa_supplicant[11732]: BSSID 90:6c:ac:4e:13:aa ignore list count incremented to 2, ignoring for 10 seconds

Offline

#18 2023-06-11 19:25:52

seth
Member
Registered: 2012-09-03
Posts: 59,718

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

And w/ "SSLv3" as MinProtocol?

Offline

#19 2023-06-11 19:40:03

loqs
Member
Registered: 2014-03-06
Posts: 18,123

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

What if you use

# Use this in order to automatically load providers.
openssl_conf = openssl_init

# Comment out the next line to ignore configuration errors
config_diagnostics = 1

# For FIPS
# Optionally include a file that is generated by the OpenSSL fipsinstall
# application. This file contains configuration data required by the OpenSSL
# fips provider. It contains a named section e.g. [fips_sect] which is
# referenced from the [provider_sect] below.
# Refer to the OpenSSL security policy for more information.
# .include fipsmodule.cnf

[openssl_init]
providers = provider_sect
ssl_conf = ssl_sect

# List of providers to load
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect

# If no providers are activated explicitly, the default one is activated implicitly.
# See man 7 OSSL_PROVIDER-default for more details.
#
# If you add a section explicitly activating any other provider(s), you most
# probably need to explicitly activate the default provider, otherwise it
# becomes unavailable in openssl.  As a consequence applications depending on
# OpenSSL may not work correctly which could lead to significant system
# problems including inability to remotely access the system.
[default_sect]
# activate = 1

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = None
CipherString = DEFAULT:@SECLEVEL=0
Options = UnsafeLegacyServerConnect

Edit:
openssl 3.1.1 built with -DOPENSSL_TLS_SECURITY_LEVEL=0
https://drive.google.com/file/d/1GcvP6s … sp=sharing openssl-3.1.1-1.1-x86_64.pkg.tar.zst
Edit2:
openssl 3.1.1 built with  https://github.com/openssl/openssl/comm … 41db885e19 reverted
https://drive.google.com/file/d/1BdP3sm … sp=sharing openssl-3.1.1-1.2-x86_64.pkg.tar.zst

Please try these openssl packages with the default /etc/ssl/openssl.cnf

Last edited by loqs (2023-06-11 21:03:07)

Offline

#20 2023-06-11 21:20:40

StephenRamos
Member
Registered: 2023-06-11
Posts: 9

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Ok, I've found how to fix it.

Turns out that wpa_supplicant doesn't process whatever is that you write on /etc/ssl/openssl.conf but requires its own configuration file.

So what I did was to create a new file in: /etc/wpa_supplicant/wpa_supplicant.conf containing:

openssl_ciphers=DEFAULT@SECLEVEL=0

Then edit the wpa_supplicant.service file via:

systemctl edit --full wpa_supplicant.service

And modifying the ExecStart line as follows:

ExecStart=/usr/bin/wpa_supplicant -u -s -O /run/wpa_supplicant -i wlp3s0 -c /etc/wpa_supplicant/wpa_supplicant.conf

After restarting wpa_supplicant again:

systemctl restart wpa_supplicant.service

Voilà it connects fine again:

Jun 11 22:08:58 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-DISCONNECTED bssid=90:6c:ac:4e:13:aa reason=3 locally_generated=1
Jun 11 22:08:58 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-DSCP-POLICY clear_all
Jun 11 22:08:58 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
Jun 11 22:08:58 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: PMKSA-CACHE-REMOVED 90:6c:ac:4e:13:aa 0
Jun 11 22:09:00 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: SME: Trying to authenticate with 90:6c:ac:4e:13:aa (SSID='SAFEWIFI_LDN' freq=5500 MHz)
Jun 11 22:09:00 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: Trying to associate with 90:6c:ac:4e:13:aa (SSID='SAFEWIFI_LDN' freq=5500 MHz)
Jun 11 22:09:00 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: Associated with 90:6c:ac:4e:13:aa
Jun 11 22:09:00 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-EAP-STARTED EAP authentication started
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21 -> NAK
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA' hash=4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA' hash=4348a0e9444c78cb265e058d5e8944b4d84f9662bd26db257f8934a443c70161
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=DigiCert Inc/CN=DigiCert TLS RSA SHA256 2020 CA1' hash=25768713d3b459f9382d2a594f85f34709fd2a8930731542a4146ffb246bec69
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=US/ST=California/L=Sunnyvale/O=Fortinet, Inc./CN=auth-cert.fortinet.com' hash=560917f612813aa5ac7cfa2bd035a203cedf54160d518e03eee01d5ab885358b
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:auth-cert.fortinet.com
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: EAP-MSCHAPV2: Authentication succeeded
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: PMKSA-CACHE-ADDED 90:6c:ac:4e:13:aa 0
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: WPA: Key negotiation completed with 90:6c:ac:4e:13:aa [PTK=CCMP GTK=CCMP]
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-CONNECTED - Connection to 90:6c:ac:4e:13:aa completed [id=0 id_str=]
Jun 11 22:09:03 laptop.domain.corg wpa_supplicant[1131]: wlp3s0: CTRL-EVENT-SIGNAL-CHANGE above=1 signal=-59 noise=9999 txrate=6500

Thanks to all for your help in making me understand the openssl options better and thanks for your patience.

It would be nice to understand what is exactly the problem though.

#Update:

When resuming wpa_supplicant is unable to reconnect to the WPA2-Enterprise wifi network and needs a restart, this can be done automatically using systemd by creating a new service that will restart wpa_supplicant after resume:

systemctl edit --full --force wpa_supplicant_r.service
[Unit]
Description=Restart wpa_supplicant after resume
After=suspend.target
     
[Service]
Type=simple
ExecStart=/usr/bin/systemctl --no-block restart wpa_supplicant.service
     
[Install]
WantedBy=suspend.target

Last edited by StephenRamos (2023-06-15 21:47:06)

Offline

#21 2023-06-11 21:35:58

loqs
Member
Registered: 2014-03-06
Posts: 18,123

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Offline

#22 2023-06-12 06:30:20

Hacksign
Member
Registered: 2012-07-30
Posts: 133

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

So, my question is ..
Is this a pontential bug, I just need waiting update ?
Or I should modify openssl.cnf file by myself ?

Offline

#23 2023-06-12 06:32:31

seth
Member
Registered: 2012-09-03
Posts: 59,718

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

pacman -Qs wpa
pacman -Qikk wpa_supplicant

Offline

#24 2023-06-12 06:50:54

Hacksign
Member
Registered: 2012-07-30
Posts: 133

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

seth wrote:
pacman -Qs wpa
pacman -Qikk wpa_supplicant
>> pacman -Qs wpa
local/wpa_supplicant 2:2.10-8
    A utility providing key negotiation for WPA wireless networks

>> pacman -Qikk wpa_supplicant
名字           : wpa_supplicant
版本           : 2:2.10-8
描述           : A utility providing key negotiation for WPA wireless networks
架构           : x86_64
URL            : https://w1.fi/wpa_supplicant/
软件许可       : GPL
组             : 无
提供           : 无
依赖于         : openssl  libdbus  readline  libnl  pcsclite
可选依赖       : 无
依赖它         : networkmanager
被可选依赖     : 无
与它冲突       : 无
取代           : 无
安装后大小     : 6.33 MiB
打包者         : Jan Alexander Steffens (heftig) <heftig@archlinux.org>
编译日期       : 2022年12月17日 星期六 08时54分17秒
安装日期       : 2023年02月12日 星期日 07时29分24秒
安装原因       : 作为其他软件包的依赖关系安装
安装脚本       : 是
验证者         : 数字签名

Offline

#25 2023-06-12 07:00:49

seth
Member
Registered: 2012-09-03
Posts: 59,718

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

"LC_ALL=C", but you're not using some dated AUR version.
You could try to build wpa_supplicant and add the 2nd patch in #21 and see whether you still need to change the configuration.

Offline

Board footer

Powered by FluxBB