[SOLVED] eduroam issue (wpa_supplicant rollback)

nartes · 2016-04-20 11:56:50

Hi!

I am trying to resolve the issue: http://lists.infradead.org/pipermail/ho … 35548.html.

Short description:
I do want to find wpa_supplicant package version that works. Because before Dec 2015 everything
was working fine. And i can't connect to eduroam hotspot. And yeah, i already tried configuring
wpa_supplicant, even run all commands through wpa_cli. Here is something else. At least my
eduroam hotspot i quite outstanding - it doesn't use certificate verification, just login and password.

Above i mentioned thread on hostap mailing list. But the discussion doesn't provide anything usefull.
I checked out update log of wpa_supplicant, and found out the following thread:
http://lists.shmoo.com/pipermail/hostap … 32685.html. It was mentioned
in https://projects.archlinux.org/svntogit … e7791e18b5.
But nothing relevant seems to be there, except for advice to enable debug symbolsin wpa_supplicant).
So here is my attempts on wpa_supplicant and openssl rollbacks.

wpa_supplicant 2.3-1 - failed:
PKGBUILD: https://gist.github.com/anonymous/2a691 … de1f15143c
wpa_supplicant log: https://gist.github.com/e447209b8f3862a … 6f6127125c

For some reason 2.3 says problems with SSL:

OpenSSL: TX ver=0x0 content_type=256                                                 
OpenSSL: Message - hexdump(len=5): [REMOVED]                                         
OpenSSL: TX ver=0x301 content_type=21                                                
OpenSSL: Message - hexdump(len=2): [REMOVED]                                         
SSL: (where=0x4008 ret=0x230)                                                        
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA               
EAP: Status notification: local TLS alert (param=unknown CA)                         
SSL: (where=0x1002 ret=0xffffffff)                                                   
SSL: SSL_connect:error in error                                                      
OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
SSL: 7 bytes pending from ssl_out                                                    
SSL: Failed - tls_out available to report error                                      
SSL: 7 bytes left to be sent out (of total 7 bytes)                                  
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0xb43870

wpa_supplicant: 2.4-1 - failed
PKGBUILD: https://gist.github.com/486af1342984248 … 2db2e8d119
wpa_supplicant log: https://gist.github.com/e274a181883136a … a5102a8112

this wpa_supplicant version says the following near the FAILURE message:

wlp1s0b1: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
EAP: Status notification: accept proposed method (param=PEAP)
EAP: Initialize selected EAP method: vendor 0 method 25 (PEAP)
EAP-PEAP: Forced PEAP version 0
TLS: Phase2 EAP types - hexdump(len=8): 00 00 00 00 1a 00 00 00
TLS: using phase1 config options
TLS: Trusted root certificate(s) loaded
wlp1s0b1: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-PEAP: Start (server ver=0, own ver=0)
EAP-PEAP: Using PEAP version 0
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before/connect initialization
OpenSSL: TX ver=0x303 content_type=256
OpenSSL: Message - hexdump(len=5): [REMOVED]
OpenSSL: TX ver=0x303 content_type=22
OpenSSL: Message - hexdump(len=298): [REMOVED]
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv2/v3 write client hello A
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv2/v3 read server hello A
SSL: SSL_connect - want more data
SSL: 303 bytes pending from ssl_out
SSL: 303 bytes left to be sent out (of total 303 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL eapRespData=0x1c8fcf0
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL: dst=00:3a:99:04:bf:42
TX EAPOL - hexdump(len=317): 01 00 01 39 02 02 01 39 19 80 00 00 01 2f 16 03 01 01 2a 01 00 01 26 03 03 d8 e9 45 23 f4 63 d8 ab f0 6b 67 17 9a 9f e9 ff b9 ec 84 10 66 37 77 dd db ab db c5 3e 46 4c 4a 00 00 ac c0 30 c0 2c c0 28 c0 24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00 6a 00 69 00 68 00 39 00 38 00 37 00 36 00 88 00 87 00 86 00 85 c0 32 c0 2e c0 2a c0 26 c0 0f c0 05 00 9d 00 3d 00 35 00 84 c0 2f c0 2b c0 27 c0 23 c0 13 c0 09 00 a4 00 a2 00 a0 00 9e 00 67 00 40 00 3f 00 3e 00 33 00 32 00 31 00 30 00 9a 00 99 00 98 00 97 00 45 00 44 00 43 00 42 c0 31 c0 2d c0 29 c0 25 c0 0e c0 04 00 9c 00 3c 00 2f 00 96 00 41 00 07 c0 11 c0 07 c0 0c c0 02 00 05 00 04 c0 12 c0 08 00 16 00 13 00 10 00 0d c0 0d c0 03 00 0a 00 ff 01 00 00 51 00 0b 00 04 03 00 01 02 00 0a 00 1c 00 1a 00 17 00 19 00 1c 00 1b 00 18 00 1a 00 16 00 0e 00 0d 00 0b 00 0c 00 09 00 0a 00 0d 00 20 00 1e 06 01 06 02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 01
EAPOL: SUPP_BE entering state RECEIVE
l2_packet_receive: src=00:3a:99:04:bf:42 len=8
wlp1s0b1: RX EAPOL from 00:3a:99:04:bf:42
RX EAPOL - hexdump(len=8): 02 00 00 04 04 02 00 04
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: Status notification: completion (param=failure)
EAP: EAP entering state FAILURE
wlp1s0b1: CTRL-EVENT-EAP-FAILURE EAP authentication failed

openssl 1.0.2.d with wpa_supplicant 2.4 - failed:
PKGBUILD: https://gist.github.com/2ec2d5eb7b9cceb … 5baa3e0460
wpa_supplicant log: https://gist.github.com/f396ae322d5a437 … 0d693246ad

openssl 1.0.2.d with wpa_supplicant 2.2 - failed:
wpa_supplicant PKGBUILD: https://gist.github.com/5f1c61c0ed1fe85 … d46f01dd4e
wpa_supplicant log: https://gist.github.com/9d415483a2a6f11 … 8c9c84bbcf

By the way, is it okay to import the key required for pgp verification in openssl PKGBULD?
gpg: key 0E604491: public key "Matt Caswell <matt@openssl.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1

Questions i have:
- why reverts doesn't make it working again? how can i check that i definitely reverted back packages?
- are there any packages that are related to wpa-eap authentication? (e.g. openssl, what else?)
- how to download particular version of PKGBUILD? (silly question)
I tried in this way but it provides me tar with previous version comparing
to one i opened in browser:
1) Open https://projects.archlinux.org/svntogit … supplicant
2) e.g. select upgpkg: wpa_supplicant 1:2.5-1
https://projects.archlinux.org/svntogit … 6304e383b4
3) download tar.gz archive
https://projects.archlinux.org/svntogit … 3b4.tar.gz
4) and wow, i got for some reason PKGBUILD with 2.3 !!!!

Next steps:
- checkout Ubuntu LiveCD ISO on my laptop hardware
- checkout versions of packages, even kernel
- revert back to those particular versions on ArchLinux and checkout authentication

Last edited by nartes (2016-05-05 21:12:34)

R00KIE · 2016-04-20 12:38:42

I'll save you the trouble and tell you the solution. You can use wpa_supplicant 2.5 and depending on the program you use to manage your connections you can either make it work right now or you have to complain and wait for someone to fix it.

If you connect manually or you use a connection manager that allows you to control all the options you pass to wpa_supplicant then to the phase1 configuration option add "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1".

If you use networkmanager then complain here [1] and wait until someone adds the option to allow you to add more things to the phase1 option - but I would find and very comfortable chair to sit and wait. I have submitted the bug report almost a week ago and so far not so much as an "ok we'll take a look once we {have time,finish more pressing matters}.

There is also another alternative, you can complain to your school's IT department and tell them to stop using a broken authentication server, although I suspect you won't get very far on that front.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=765059

Edit:
Someone on the mailing list you linked to is right on the money - broken authentication server. Do test if disabling tlsv1.1 and tlsv1.2 solves the problem and let people know on the mailing list.

Last edited by R00KIE (2016-04-20 12:46:14)

nartes · 2016-05-05 21:12:12

ROOKIE, thanks for a reply.

P.S. Here is the issue on configuration netctl+wpa_supplicant with the solution
from ROOKIE.
https://bbs.archlinux.org/viewtopic.php?id=211842.

Arch Linux

#1 2016-04-20 11:56:50

[SOLVED] eduroam issue (wpa_supplicant rollback)

#2 2016-04-20 12:38:42

Re: [SOLVED] eduroam issue (wpa_supplicant rollback)

#3 2016-05-05 21:12:12

Re: [SOLVED] eduroam issue (wpa_supplicant rollback)

Board footer