You are not logged in.
- Topics: Active | Unanswered
#1 2024-01-15 15:41:57
- rochus
- Member
- Registered: 2007-02-14
- Posts: 91
[SOLVED] iwd, eduroam, bad_certificate error
Hi all,
I updated my system today, and since then eduroam stopped working. I enabled TLS debugging for iwd, which shows me a bad_certificate error in journalctl. The description is "Peer certchain verification failed consistency check or against local CA certs: Linking certificate 1 / 4 failed, 1 / 4 matched a trusted certificate, root not verified.". I then manually checked the ca.pem that I obtained from the eduroam installer, but 'openssl verify -show_chain ca.pem' succeeds.
During the update, I saw that iwd was updated from 2.12-1 to 2.13-1, but downgrading this did not solve the issue. OpenSSL was not upgraded and was already at 3.2.0-1.
Any ideas where/how to dig further into this issue?
Cheers
Last edited by rochus (2024-04-05 13:38:40)
Offline
#2 2024-01-17 13:26:52
- b10n
- Member
- Registered: 2024-01-17
- Posts: 1
Re: [SOLVED] iwd, eduroam, bad_certificate error
Same problem here. Using kernel 6.6.12-1-lts it still works.
Offline
#3 2024-01-17 13:30:56
- rimeno
- Member
- Registered: 2024-01-17
- Posts: 14
Re: [SOLVED] iwd, eduroam, bad_certificate error
Hi,
Same problem here but only with last kernel :
* iwd + eduroam (PEAP MSCHAPv2) + linux 6.7.0 → Failed
* iwd + eduroam (PEAP MSCHAPv2) + linux-lts 6.6.12 → Success
I also try to downgrade iwd, but same errors, so for me, the problem is on the kernel. @rochus, could you please test with an LTS kernel ?
My logs for linux 6.7.0 :
janv. 17 14:15:40 furman systemd[1]: Starting Wireless service...
janv. 17 14:15:40 furman iwd[8114]: Wireless daemon version 2.13
janv. 17 14:15:40 furman systemd[1]: Started Wireless service.
janv. 17 14:15:40 furman iwd[8114]: station: Network configuration is disabled.
janv. 17 14:15:40 furman iwd[8114]: Wiphy: 0, Name: phy0
janv. 17 14:15:40 furman iwd[8114]: Permanent Address: 58:1c:f8:0d:fb:8d
janv. 17 14:15:40 furman iwd[8114]: 2.4GHz Band:
janv. 17 14:15:40 furman iwd[8114]: Bitrates (non-HT):
janv. 17 14:15:40 furman iwd[8114]: 1.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 2.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 5.5 Mbps
janv. 17 14:15:40 furman iwd[8114]: 11.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 6.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 9.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 12.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 18.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 24.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 36.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 48.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 54.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: HT Capabilities:
janv. 17 14:15:40 furman iwd[8114]: HT40
janv. 17 14:15:40 furman iwd[8114]: Short GI for 20Mhz
janv. 17 14:15:40 furman iwd[8114]: Short GI for 40Mhz
janv. 17 14:15:40 furman iwd[8114]: HT RX MCS indexes:
janv. 17 14:15:40 furman iwd[8114]: 0-15
janv. 17 14:15:40 furman iwd[8114]: HE Capabilities
janv. 17 14:15:40 furman iwd[8114]: Interface Types: ap
janv. 17 14:15:40 furman iwd[8114]: Max HE RX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:15:40 furman iwd[8114]: Max HE TX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:15:40 furman iwd[8114]: Interface Types: station
janv. 17 14:15:40 furman iwd[8114]: Max HE RX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:15:40 furman iwd[8114]: Max HE TX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:15:40 furman iwd[8114]: 5GHz Band:
janv. 17 14:15:40 furman iwd[8114]: Bitrates (non-HT):
janv. 17 14:15:40 furman iwd[8114]: 6.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 9.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 12.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 18.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 24.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 36.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 48.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: 54.0 Mbps
janv. 17 14:15:40 furman iwd[8114]: HT Capabilities:
janv. 17 14:15:40 furman iwd[8114]: HT40
janv. 17 14:15:40 furman iwd[8114]: Short GI for 20Mhz
janv. 17 14:15:40 furman iwd[8114]: Short GI for 40Mhz
janv. 17 14:15:40 furman iwd[8114]: HT RX MCS indexes:
janv. 17 14:15:40 furman iwd[8114]: 0-15
janv. 17 14:15:40 furman iwd[8114]: VHT Capabilities:
janv. 17 14:15:40 furman iwd[8114]: 160 Mhz operation
janv. 17 14:15:40 furman iwd[8114]: Short GI for 80Mhz
janv. 17 14:15:40 furman iwd[8114]: Short GI for 160 and 80 + 80 Mhz
janv. 17 14:15:40 furman iwd[8114]: Max RX MCS: 0-9 for NSS: 2
janv. 17 14:15:40 furman iwd[8114]: Max TX MCS: 0-9 for NSS: 2
janv. 17 14:15:40 furman iwd[8114]: HE Capabilities
janv. 17 14:15:40 furman iwd[8114]: Interface Types: ap
janv. 17 14:15:40 furman iwd[8114]: Max HE RX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:15:40 furman iwd[8114]: Max HE TX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:15:40 furman iwd[8114]: Max HE RX <= 160MHz MCS: 0-11 for NSS: 2
janv. 17 14:15:40 furman iwd[8114]: Max HE TX <= 160MHz MCS: 0-11 for NSS: 2
janv. 17 14:15:40 furman iwd[8114]: Interface Types: station
janv. 17 14:15:40 furman iwd[8114]: Max HE RX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:15:40 furman iwd[8114]: Max HE TX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:15:40 furman iwd[8114]: Max HE RX <= 160MHz MCS: 0-11 for NSS: 2
janv. 17 14:15:40 furman iwd[8114]: Max HE TX <= 160MHz MCS: 0-11 for NSS: 2
janv. 17 14:15:40 furman iwd[8114]: Ciphers: BIP-GMAC-256 BIP-GMAC-128 GCMP-256 GCMP-128
janv. 17 14:15:40 furman iwd[8114]: BIP-CMAC-128 CCMP-128 TKIP
janv. 17 14:15:40 furman iwd[8114]: Supported iftypes: ad-hoc station ap p2p-client p2p-go p2p-device
janv. 17 14:15:42 furman iwd[8114]: PEAP: tls_tx_handshake:1244 Sending a TLS_CLIENT_HELLO of 140 bytes
janv. 17 14:15:42 furman iwd[8114]: PEAP: l_tls_start:3610 New state TLS_HANDSHAKE_WAIT_HELLO
janv. 17 14:15:42 furman iwd[8114]: PEAP: tls_handle_handshake:3074 Handling a TLS_SERVER_HELLO of 45 bytes
janv. 17 14:15:42 furman iwd[8114]: PEAP: tls_handle_server_hello:2419 Negotiated TLS 1.2
janv. 17 14:15:42 furman iwd[8114]: PEAP: tls_handle_server_hello:2455 Negotiated TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
janv. 17 14:15:42 furman iwd[8114]: PEAP: tls_handle_server_hello:2466 Negotiated CompressionMethod.null
janv. 17 14:15:42 furman iwd[8114]: PEAP: tls_handle_server_hello:2492 New state TLS_HANDSHAKE_WAIT_CERTIFICATE
janv. 17 14:15:42 furman iwd[8114]: PEAP: tls_handle_handshake:3074 Handling a TLS_CERTIFICATE of 2146 bytes
janv. 17 14:15:42 furman iwd[8114]: PEAP: tls_handle_certificate:2562 Peer certchain written to /tmp/iwd-tls-debug-server-cert.pem
janv. 17 14:15:42 furman iwd[8114]: PEAP: tls_handle_certificate:2673 Disconnect desc=internal_error local-desc=close_notify reason=Can't l_key_get_info for peer public key
janv. 17 14:15:42 furman iwd[8114]: PEAP: tls_send_alert:1175 Sending a Fatal Alert: internal_error
janv. 17 14:15:42 furman iwd[8114]: PEAP: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
janv. 17 14:15:42 furman iwd[8114]: PEAP: Tunnel has disconnected with alert: internal_error
janv. 17 14:15:43 furman iwd[8114]: EAP completed with eapFail
janv. 17 14:15:43 furman iwd[8114]: PEAP: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
janv. 17 14:15:43 furman iwd[8114]: PEAP: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
janv. 17 14:15:43 furman iwd[8114]: 4-Way handshake failed for ifindex: 5, reason: 23
janv. 17 14:15:47 furman iwd[8114]: PEAP: tls_tx_handshake:1244 Sending a TLS_CLIENT_HELLO of 140 bytes
janv. 17 14:15:47 furman iwd[8114]: PEAP: l_tls_start:3610 New state TLS_HANDSHAKE_WAIT_HELLO
janv. 17 14:15:47 furman iwd[8114]: PEAP: tls_handle_handshake:3074 Handling a TLS_SERVER_HELLO of 45 bytes
janv. 17 14:15:47 furman iwd[8114]: PEAP: tls_handle_server_hello:2419 Negotiated TLS 1.2
janv. 17 14:15:47 furman iwd[8114]: PEAP: tls_handle_server_hello:2455 Negotiated TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
janv. 17 14:15:47 furman iwd[8114]: PEAP: tls_handle_server_hello:2466 Negotiated CompressionMethod.null
janv. 17 14:15:47 furman iwd[8114]: PEAP: tls_handle_server_hello:2492 New state TLS_HANDSHAKE_WAIT_CERTIFICATE
janv. 17 14:15:47 furman iwd[8114]: PEAP: tls_handle_handshake:3074 Handling a TLS_CERTIFICATE of 2146 bytes
janv. 17 14:15:47 furman iwd[8114]: PEAP: tls_handle_certificate:2562 Peer certchain written to /tmp/iwd-tls-debug-server-cert.pem
janv. 17 14:15:47 furman iwd[8114]: PEAP: tls_handle_certificate:2673 Disconnect desc=internal_error local-desc=close_notify reason=Can't l_key_get_info for peer public key
janv. 17 14:15:47 furman iwd[8114]: PEAP: tls_send_alert:1175 Sending a Fatal Alert: internal_error
janv. 17 14:15:47 furman iwd[8114]: PEAP: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
janv. 17 14:15:47 furman iwd[8114]: PEAP: Tunnel has disconnected with alert: internal_error
janv. 17 14:15:48 furman iwd[8114]: EAP completed with eapFail
janv. 17 14:15:48 furman iwd[8114]: PEAP: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
janv. 17 14:15:48 furman iwd[8114]: PEAP: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
janv. 17 14:15:48 furman iwd[8114]: 4-Way handshake failed for ifindex: 5, reason: 23Last edited by rimeno (2024-01-17 13:49:55)
Offline
#4 2024-01-17 13:37:16
- rimeno
- Member
- Registered: 2024-01-17
- Posts: 14
Re: [SOLVED] iwd, eduroam, bad_certificate error
PS: I don't see a "bad_certificate" error in my log, just
PEAP: tls_handle_certificate:2673 Disconnect desc=internal_error local-desc=close_notify reason=Can't l_key_get_info for peer public keyOffline
#5 2024-01-17 13:50:59
- rimeno
- Member
- Registered: 2024-01-17
- Posts: 14
Re: [SOLVED] iwd, eduroam, bad_certificate error
My logs for linux-lts 6.6.12 :
janv. 17 14:44:26 furman systemd[1]: Starting Wireless service...
janv. 17 14:44:26 furman iwd[808]: Wireless daemon version 2.13
janv. 17 14:44:26 furman systemd[1]: Started Wireless service.
janv. 17 14:44:26 furman iwd[808]: station: Network configuration is disabled.
janv. 17 14:44:26 furman iwd[808]: Wiphy: 0, Name: phy0
janv. 17 14:44:26 furman iwd[808]: Permanent Address: 58:1c:f8:0d:fb:8d
janv. 17 14:44:26 furman iwd[808]: 2.4GHz Band:
janv. 17 14:44:26 furman iwd[808]: Bitrates (non-HT):
janv. 17 14:44:26 furman iwd[808]: 1.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 2.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 5.5 Mbps
janv. 17 14:44:26 furman iwd[808]: 11.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 6.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 9.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 12.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 18.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 24.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 36.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 48.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 54.0 Mbps
janv. 17 14:44:26 furman iwd[808]: HT Capabilities:
janv. 17 14:44:26 furman iwd[808]: HT40
janv. 17 14:44:26 furman iwd[808]: Short GI for 20Mhz
janv. 17 14:44:26 furman iwd[808]: Short GI for 40Mhz
janv. 17 14:44:26 furman iwd[808]: HT RX MCS indexes:
janv. 17 14:44:26 furman iwd[808]: 0-15
janv. 17 14:44:26 furman iwd[808]: HE Capabilities
janv. 17 14:44:26 furman iwd[808]: Interface Types: ap
janv. 17 14:44:26 furman iwd[808]: Max HE RX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:44:26 furman iwd[808]: Max HE TX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:44:26 furman iwd[808]: Interface Types: station
janv. 17 14:44:26 furman iwd[808]: Max HE RX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:44:26 furman iwd[808]: Max HE TX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:44:26 furman iwd[808]: 5GHz Band:
janv. 17 14:44:26 furman iwd[808]: Bitrates (non-HT):
janv. 17 14:44:26 furman iwd[808]: 6.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 9.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 12.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 18.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 24.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 36.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 48.0 Mbps
janv. 17 14:44:26 furman iwd[808]: 54.0 Mbps
janv. 17 14:44:26 furman iwd[808]: HT Capabilities:
janv. 17 14:44:26 furman iwd[808]: HT40
janv. 17 14:44:26 furman iwd[808]: Short GI for 20Mhz
janv. 17 14:44:26 furman iwd[808]: Short GI for 40Mhz
janv. 17 14:44:26 furman iwd[808]: HT RX MCS indexes:
janv. 17 14:44:26 furman iwd[808]: 0-15
janv. 17 14:44:26 furman iwd[808]: VHT Capabilities:
janv. 17 14:44:26 furman iwd[808]: 160 Mhz operation
janv. 17 14:44:26 furman iwd[808]: Short GI for 80Mhz
janv. 17 14:44:26 furman iwd[808]: Short GI for 160 and 80 + 80 Mhz
janv. 17 14:44:26 furman iwd[808]: Max RX MCS: 0-9 for NSS: 2
janv. 17 14:44:26 furman iwd[808]: Max TX MCS: 0-9 for NSS: 2
janv. 17 14:44:26 furman iwd[808]: HE Capabilities
janv. 17 14:44:26 furman iwd[808]: Interface Types: ap
janv. 17 14:44:26 furman iwd[808]: Max HE RX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:44:26 furman iwd[808]: Max HE TX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:44:26 furman iwd[808]: Max HE RX <= 160MHz MCS: 0-11 for NSS: 2
janv. 17 14:44:26 furman iwd[808]: Max HE TX <= 160MHz MCS: 0-11 for NSS: 2
janv. 17 14:44:26 furman iwd[808]: Interface Types: station
janv. 17 14:44:26 furman iwd[808]: Max HE RX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:44:26 furman iwd[808]: Max HE TX <= 80MHz MCS: 0-11 for NSS: 2
janv. 17 14:44:26 furman iwd[808]: Max HE RX <= 160MHz MCS: 0-11 for NSS: 2
janv. 17 14:44:26 furman iwd[808]: Max HE TX <= 160MHz MCS: 0-11 for NSS: 2
janv. 17 14:44:26 furman iwd[808]: Ciphers: BIP-GMAC-256 BIP-GMAC-128 GCMP-256 GCMP-128
janv. 17 14:44:26 furman iwd[808]: BIP-CMAC-128 CCMP-128 TKIP
janv. 17 14:44:26 furman iwd[808]: Supported iftypes: ad-hoc station ap p2p-client p2p-go p2p-device
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_tx_handshake:1244 Sending a TLS_CLIENT_HELLO of 140 bytes
janv. 17 14:44:28 furman iwd[808]: PEAP: l_tls_start:3610 New state TLS_HANDSHAKE_WAIT_HELLO
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_handshake:3074 Handling a TLS_SERVER_HELLO of 45 bytes
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_server_hello:2419 Negotiated TLS 1.2
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_server_hello:2455 Negotiated TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_server_hello:2466 Negotiated CompressionMethod.null
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_server_hello:2492 New state TLS_HANDSHAKE_WAIT_CERTIFICATE
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_handshake:3074 Handling a TLS_CERTIFICATE of 2146 bytes
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_certificate:2562 Peer certchain written to /tmp/iwd-tls-debug-server-cert.pem
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_certificate:2666 New state TLS_HANDSHAKE_WAIT_KEY_EXCHANGE
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_handshake:3074 Handling a TLS_SERVER_KEY_EXCHANGE of 145 bytes
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_handshake:3172 New state TLS_HANDSHAKE_WAIT_HELLO_DONE
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_ecdhe_server_key_xchg:608 Negotiated secp256r1
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_ecdsa_verify:316 Peer signature verified
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_ecdhe_server_key_xchg:662 New state TLS_HANDSHAKE_WAIT_HELLO_DONE
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_handshake:3074 Handling a TLS_SERVER_HELLO_DONE of 0 bytes
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_tx_handshake:1244 Sending a TLS_CLIENT_KEY_EXCHANGE of 66 bytes
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_tx_handshake:1244 Sending a TLS_FINISHED of 12 bytes
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_server_hello_done:2782 New state TLS_HANDSHAKE_WAIT_CHANGE_CIPHER_SPEC
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_message:3449 New state TLS_HANDSHAKE_WAIT_FINISHED
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_handle_handshake:3074 Handling a TLS_FINISHED of 12 bytes
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_START
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_finished:3047 New state TLS_HANDSHAKE_DONE
janv. 17 14:44:28 furman iwd[808]: EAP completed with eapSuccess
janv. 17 14:44:28 furman iwd[808]: PEAP: tls_reset_handshake:195 New state TLS_HANDSHAKE_WAIT_STARTOffline
#6 2024-01-17 19:28:29
- rochus
- Member
- Registered: 2007-02-14
- Posts: 91
Re: [SOLVED] iwd, eduroam, bad_certificate error
Thanks for the updates. I'll test an LTS kernel as soon as possible. I traced the "Peer certchain verification failed" error message to extra/ell. ell's build date predates the 6.7 kernel. Does it need to be recompiled against the latest kernel?
Offline
#7 2024-01-17 20:51:44
- rimeno
- Member
- Registered: 2024-01-17
- Posts: 14
Re: [SOLVED] iwd, eduroam, bad_certificate error
Good point, my error "Can't l_key_get_info for peer public key" is coming from extra/ell too, on file ell/tls.c
I recompiled/install ell as you suggest. I'll see tomorrow
Offline
#8 2024-01-18 07:47:28
- rimeno
- Member
- Registered: 2024-01-17
- Posts: 14
Re: [SOLVED] iwd, eduroam, bad_certificate error
Recompiling ell dosen't help.
Offline
#9 2024-01-18 09:17:17
- rochus
- Member
- Registered: 2007-02-14
- Posts: 91
Re: [SOLVED] iwd, eduroam, bad_certificate error
Can confirm both: kernel 6.6.12-lts solves the issue, while recompiling ell against a 6.7 kernel does not.
Offline
#10 2024-01-18 09:26:46
- rimeno
- Member
- Registered: 2024-01-17
- Posts: 14
Re: [SOLVED] iwd, eduroam, bad_certificate error
So, where should we report this bug, on ell or linux kernel ?
Offline
#11 2024-01-18 21:54:39
- rochus
- Member
- Registered: 2007-02-14
- Posts: 91
Re: [SOLVED] iwd, eduroam, bad_certificate error
We haven't narrowed down where precisely the bug is coming from, so I'm not sure if reporting it upstream anywhere already helps. I'll try to find some time on the weekend to dig further into it, but cannot promise anything yet.
Offline
#12 2024-01-19 08:39:30
- rimeno
- Member
- Registered: 2024-01-17
- Posts: 14
Re: [SOLVED] iwd, eduroam, bad_certificate error
I was not thinking about reporting upstream, just on Arch for maintainers. I think they could help us to investigate.
I tried few hack around ell/tls.c, but my C knowledge are really poor…
Offline
#13 2024-01-19 09:59:33
- seth
- Member
- Registered: 2012-09-03
- Posts: 51,679
Re: [SOLVED] iwd, eduroam, bad_certificate error
I'd first and foremost check if you've all the same kind of HW to see whether this is a driver issue since nothing changed about ell.
lspci -knn
lsusbOffline
#14 2024-01-19 13:54:03
- rimeno
- Member
- Registered: 2024-01-17
- Posts: 14
Re: [SOLVED] iwd, eduroam, bad_certificate error
lspci -knn : http://0x0.st/H0YN.txt
lsusb : http://0x0.st/H0Yq.txt
Offline
#15 2024-01-19 15:23:12
- seth
- Member
- Registered: 2012-09-03
- Posts: 51,679
Re: [SOLVED] iwd, eduroam, bad_certificate error
00:14.3 Network controller [0280]: Intel Corporation Wi-Fi 6 AX201 [8086:a0f0] (rev 20)
Subsystem: Intel Corporation Wi-Fi 6 AX201 [8086:0074]
Kernel driver in use: iwlwifi
Kernel modules: iwlwifiregular-ass wlan still works?
Offline
#16 2024-01-21 08:10:08
- rimeno
- Member
- Registered: 2024-01-17
- Posts: 14
Re: [SOLVED] iwd, eduroam, bad_certificate error
No problems with WPA2 Personal (WPA2-PSK), only with WPA2 Entreprise (PEAP+MSCHAPv2).
Offline
#17 2024-01-21 09:52:15
- rochus
- Member
- Registered: 2007-02-14
- Posts: 91
Re: [SOLVED] iwd, eduroam, bad_certificate error
lspci -knn: https://0x0.st/s/YTYGBs8_lz-bnLREAAIJ_A/H07_.txt
lsusb: https://0x0.st/s/YWTxILI6AtQCIRdm0ZUM6w/H079.txt
Same here regarding regular wifi with WPA2. So far I encountered the issue only when using eduroam (i.e. PEAP+MSCHAPV2). I don't have much time this weekend to dig any further, unfortunately.
Last edited by rochus (2024-01-21 09:52:39)
Offline
#18 2024-01-21 09:55:34
- seth
- Member
- Registered: 2012-09-03
- Posts: 51,679
Re: [SOLVED] iwd, eduroam, bad_certificate error
iwlwifi but different chip:
03:00.0 Network controller [0280]: Intel Corporation Wi-Fi 6 AX200 [8086:2723] (rev 1a)
Subsystem: Intel Corporation Wi-Fi 6 AX200 [8086:0080]
Kernel driver in use: iwlwifi
Kernel modules: iwlwifiOffline
#19 2024-01-21 10:09:21
- rochus
- Member
- Registered: 2007-02-14
- Posts: 91
Re: [SOLVED] iwd, eduroam, bad_certificate error
yup. I had a brief look into iwlwifi's commit history on Friday. There were a few changes to it between 6.6 and 6.7, but nothing that looks like an obvious smoking gun.
Offline
#20 2024-01-24 12:43:33
- rimeno
- Member
- Registered: 2024-01-17
- Posts: 14
Re: [SOLVED] iwd, eduroam, bad_certificate error
6.7.1 didn't resolve problem.
Offline
#21 2024-01-24 14:18:39
- V1del
- Forum Moderator
- Registered: 2012-10-16
- Posts: 21,779
Re: [SOLVED] iwd, eduroam, bad_certificate error
Possibly related: https://bbs.archlinux.org/viewtopic.php?id=292208
Online
#22 2024-01-25 08:47:37
- rochus
- Member
- Registered: 2007-02-14
- Posts: 91
Re: [SOLVED] iwd, eduroam, bad_certificate error
Excellent find, thanks! This looks like it could be is the culprit. Specifically, the removal of SHA1 from the kernel leads to the rejection of one of the certificates in the certificate chain. I just evaluated this with the kernel that loqs provided in that thread.
Last edited by rochus (2024-01-25 09:17:30)
Offline
#23 2024-02-27 09:20:14
- GimliTheWise
- Member
- Registered: 2024-02-27
- Posts: 1
Re: [SOLVED] iwd, eduroam, bad_certificate error
Did anyone find a way to solve this without changing / rollback of the kernel?
Offline
#24 2024-02-27 10:21:27
- rochus
- Member
- Registered: 2007-02-14
- Posts: 91
Re: [SOLVED] iwd, eduroam, bad_certificate error
You could use NetworkManager to configure your network connections. In contrast to iwd, it does not rely on the kernel's crypto stack and therefore is not affected by the kernel having SHA1 removed. Alternatively, you could try to approach the people who are responsible/manage your network and ask if they could renew the certificate chain but without any cert being signed using SHA1.
Offline
#25 2024-02-27 12:37:27
- unbaked_woven
- Member
- Registered: 2024-02-27
- Posts: 8
Re: [SOLVED] iwd, eduroam, bad_certificate error
Just to expand on that, you need to use NetworkManager together with wpa_supplicant because if you use it to manage iwd it will still use the kernel crypto.
I'm experiencing this very issue on Fedora 39 Silverblue, and I've been in touch with the iwd developers on the mailing list. They told me to report it upstream to the distribution maintainers, which I have done. My knowledge of certificates and crypto in general is very limited, but from what I've seen none of the certificates that my university eduroam uses are signed with SHA-1. It makes me wonder whether the update broke more than just SHA-1.
Offline