wpa_supplicant incompatible with openssl 1.1.0.f-1

vastrox · 2017-05-31 09:02:05

After upgrading to the newest openssl package, wpa_supplicant is no longer capable of 802.1x TLS authentication.
Downgrading OpenSSL to version 1.1.0.e-1 fixed the problem.
It looks like wpa_supplicant can't pass the private key passphrase to openssl anymore. Maybe the syntax changed?

wpa_supplicant[1419]: enp0s25: CTRL-EVENT-EAP-STARTED EAP authentication started
enp0s25: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
enp0s25: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
Enter PEM pass phrase:
OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
OpenSSL: tls_connection_private_key - Failed to load private key error:00000000:lib(0):func(0):reason(0)
TLS: Failed to load private key '/certs/private-key.pem'
TLS: Failed to set TLS connection parameters

As you can see, OpenSSL asks for the PEM pass phrase although wpa_supplicant provided this already.
This doesn't happen in the previous OpenSSL version.

Wanted to ask if anybody else experienced this behaviour before I report this as a bug.

R00KIE · 2017-05-31 10:19:50

I've noticed maybe a similar problem when trying to connect to an eduroam network. I've asked in hostap's mailing list and it turns out that for me the case where it works (with openssl 1.0) TLS is not even used, while with openssl 1.1 it is being (or trying ot be) used and it falls flat on its face. I've asked last week and that is as far as I got replies, no one else has chimed in since then.

I've tried modifying the pkgbuild so that wpa_supplicant and friends link against openssl 1.0 but somewhere along the way it fails, however it does work with a git version (more recent). I haven't spent much time yet trying to fix/workaround this but it's most probably worth submitting a bug in our bug tracker so that wpa_supplicant is linked against openssl 1.0 until more people complain upstream and things are fixed.

wlet · 2017-05-31 17:24:04

vastrox wrote:

Wanted to ask if anybody else experienced this behaviour before I report this as a bug.

I started experiencing this as well, please report. Thanks!

Scimmia · 2017-05-31 17:34:05

It was reported yesterday: https://bugs.archlinux.org/task/54233

You could go upstream, though

Last edited by Scimmia (2017-05-31 17:34:58)

R00KIE · 2017-05-31 18:38:18

For me openssl 1.1 it breaks EAP-PEAP, the following patch does make wpa_supplicant link against openssl-1.0 but I will not have the chance to confirm it works until next Friday. From my previous tests it should work but I can't be sure until I actually test it.

--- a/PKGBUILD	2017-05-31 19:33:12.272463216 +0100
+++ b/PKGBUILD	2017-05-31 19:32:59.888988536 +0100
@@ -4,12 +4,12 @@
 
 pkgname=wpa_supplicant
 pkgver=2.6
-pkgrel=5
+pkgrel=6
 epoch=1
 pkgdesc="A utility providing key negotiation for WPA wireless networks"
 url="http://hostap.epitest.fi/wpa_supplicant"
 arch=('i686' 'x86_64')
-depends=('openssl' 'libdbus' 'readline' 'libnl')
+depends=('openssl-1.0' 'libdbus' 'readline' 'libnl')
 optdepends=('wpa_supplicant_gui: wpa_gui program')
 license=('GPL')
 install=wpa_supplicant.install
@@ -30,6 +30,9 @@
 
   # The Makefile does not pick up our CPPFLAGS
   export CFLAGS="$CPPFLAGS $CFLAGS"
+  export CFLAGS="$CFLAGS -I/usr/include/openssl-1.0"
+  export LIBS="-L/usr/lib/openssl-1.0"
+  export LIBS_p="-L/usr/lib/openssl-1.0"
   make LIBDIR=/usr/lib BINDIR=/usr/bin
   make LIBDIR=/usr/lib BINDIR=/usr/bin eapol_test
 }

Arch Linux

#1 2017-05-31 09:02:05

wpa_supplicant incompatible with openssl 1.1.0.f-1

#2 2017-05-31 10:19:50

Re: wpa_supplicant incompatible with openssl 1.1.0.f-1

#3 2017-05-31 17:24:04

Re: wpa_supplicant incompatible with openssl 1.1.0.f-1

#4 2017-05-31 17:34:05

Re: wpa_supplicant incompatible with openssl 1.1.0.f-1

#5 2017-05-31 18:38:18

Re: wpa_supplicant incompatible with openssl 1.1.0.f-1

Board footer