You are not logged in.

#1 2015-06-18 15:12:16

martinc2
Member
Registered: 2011-09-23
Posts: 60

openssl 1.0.2.c: problem authenticating WPA2 Enterprise (eduroam) wifi

Hi,

I've never had any problems connecting to eduroam (via NetworkManager/KDE), but found I couldn't connect at my home institution this week (I was travelling earlier in the week and connected fine as a guest elsewhere).  Eventually I tracked it down to the following problem:

Jun 18 15:49:17 xxxxxx wpa_supplicant[---]: OpenSSL: openssl_handshake - SSL_connect error:14082174:SSL routines:ssl3_c
heck_cert_and_algorithm:dh key too small

some googling later, and I gather that this is likely to be a server-side issue (apparently small Diffie-Hellman keys really are bad, and openssl has started caring about it).  Downgrading to openssl-1.0.2.a gets me connected again.

So, my questions:

(1) is this really a server-side issue, or is there something weird with the/my configuration of openssl-1.0.2.c?
(2) given that there's not a chance of me persuading the server-side people to change anything, is there anything I can do, other than keep openssl pinned to version 1.0.2.a?

EDIT: It appears that this is a server-side issue, and that it will be resolved imminently at my institution.  I'm leaving this post here in case anyone else experiences connection problems over the next few days.

--martinc

Last edited by martinc2 (2015-06-18 16:10:58)

Offline

#2 2015-06-24 11:46:32

jspicoli
Member
Registered: 2008-06-19
Posts: 10

Re: openssl 1.0.2.c: problem authenticating WPA2 Enterprise (eduroam) wifi

I had the same problem - downgrading to openssl-1.0.2.a allows me to connect (wpa2 enterprise, PEAP, MSCHAPv2).

Based on some googling, could be related to this?  It appears others have reported issues with this change:

https://github.com/openssl/openssl/blob … le/CHANGES
...
Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
...
    *) Reject DH handshakes with parameters shorter than 768 bits.
 
If I want to leverage wireless, unless there is a better workaround, I will need to stay downgraded for some time as the APs I connect to I do not think will be updated any time soon.

Last edited by jspicoli (2015-06-25 01:08:03)

Offline

#3 2015-07-15 09:41:36

deepsoul
Member
From: Earth
Registered: 2012-12-23
Posts: 67
Website

Re: openssl 1.0.2.c: problem authenticating WPA2 Enterprise (eduroam) wifi

As you say, this is really a server issue, or rather an issue of differing security standards between openssl 1.0.2.c and some servers.  I just want to add a few points to collect additional information I have found in one place:

  • This problem can occur with mutt (and presumably other mail clients) when trying to send mail via SMTP encrypted with TLS

  • My preferred workaround is to save libssl.so.1.0.0 from openssl-1.0.2.a to some place and run mutt with LD_PRELOAD=/path/to/libssl.so.1.0.0 .  This allows upgrading openssl normally and using the more secure newer version except where necessary.  (Retaining the old libcrypto.so does not seem to be necessary.)

  • This Stackoverflow post is relevant and contains links to more detailed information

  • As suggested there, the tool sslscan can be used to debug the issue.  If the section "Prefered Server Cipher(s)" in its output is empty, there is no cipher acceptable to both the server and your openssl library.


Officer, I had to drive home - I was way too drunk to teleport!

Offline

Board footer

Powered by FluxBB