You are not logged in.

#26 2023-06-12 07:10:07

Hacksign
Member
Registered: 2012-07-30
Posts: 133

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

seth wrote:

"LC_ALL=C", but you're not using some dated AUR version.
You could try to build wpa_supplicant and add the 2nd patch in #21 and see whether you still need to change the configuration.

>> LC_ALL=C pacman -Qikk wpa_supplicant
Name            : wpa_supplicant
Version         : 2:2.10-8
Description     : A utility providing key negotiation for WPA wireless networks
Architecture    : x86_64
URL             : https://w1.fi/wpa_supplicant/
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : openssl  libdbus  readline  libnl  pcsclite
Optional Deps   : None
Required By     : networkmanager
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 6.33 MiB
Packager        : Jan Alexander Steffens (heftig) <heftig@archlinux.org>
Build Date      : Sat Dec 17 08:54:17 2022
Install Date    : Sun Feb 12 07:29:24 2023
Install Reason  : Installed as a dependency for another package
Install Script  : Yes
Validated By    : Signature

wpa_supplicant: 34 total files, 0 altered files

So, the answer of

Hacksign wrote:

Is this a pontential bug, I just need waiting update ?
Or I should modify openssl.cnf file by myself ?

Is, there will no fix, I need modify relevant files to fix low version problem. (?)

Offline

#27 2023-06-12 07:25:15

seth
Member
Registered: 2012-09-03
Posts: 59,216

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Wait, are you the OP w/ a different account or do you encounter the exact same error?
For the latter you should first test whether the workaround in #20 works for you.
If so or if you're the OP, the next step would be to build wpa_supplicant w/ https://w1.fi/cgit/hostap/commit/?id=e9 … 9e0e15007e applied and see whether that allows you to remove the workaround in #20

Offline

#28 2023-06-12 07:47:43

Hacksign
Member
Registered: 2012-07-30
Posts: 133

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

seth wrote:

Wait, are you the OP w/ a different account or do you encounter the exact same error?
For the latter you should first test whether the workaround in #20 works for you.
If so or if you're the OP, the next step would be to build wpa_supplicant w/ https://w1.fi/cgit/hostap/commit/?id=e9 … 9e0e15007e applied and see whether that allows you to remove the workaround in #20

I'm not OP, I just got exact same error:

6月 12 09:33:56 XSignBlade wpa_supplicant[762]: enp101s0f3u1u4: CTRL-EVENT-EAP-STARTED EAP authentication started
6月 12 09:33:56 XSignBlade wpa_supplicant[762]: enp101s0f3u1u4: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
6月 12 09:33:56 XSignBlade wpa_supplicant[762]: enp101s0f3u1u4: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
6月 12 09:33:56 XSignBlade wpa_supplicant[762]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
6月 12 09:33:56 XSignBlade wpa_supplicant[762]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
6月 12 09:33:56 XSignBlade wpa_supplicant[762]: enp101s0f3u1u4: CTRL-EVENT-EAP-FAILURE EAP authentication failed

Because I'm not OP, so I just asked at #22

Is this a pontential bug, I just need waiting update ?
Or I should modify openssl.cnf file by myself ?

Offline

#29 2023-06-12 09:57:51

loqs
Member
Registered: 2014-03-06
Posts: 18,094

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

wpa_supplicant with https://w1.fi/cgit/hostap/commit/?id=e9 … 9e0e15007e applied
https://drive.google.com/file/d/1-n44pp … sp=sharing wpa_supplicant-2:2.10-8.1-x86_64.pkg.tar.zst

Offline

#30 2023-06-12 10:50:07

Hacksign
Member
Registered: 2012-07-30
Posts: 133

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

loqs wrote:

wpa_supplicant with https://w1.fi/cgit/hostap/commit/?id=e9 … 9e0e15007e applied
https://drive.google.com/file/d/1-n44pp … sp=sharing wpa_supplicant-2:2.10-8.1-x86_64.pkg.tar.zst

I've manually compiled the package by deleting codes in https://w1.fi/cgit/hostap/commit/?id=e9 … 9e0e15007e, with configuration from LFS https://www.linuxfromscratch.org/blfs/v … icant.html
And I've tested your package wpa_supplicant-2:2.10-8.1-x86_64.pkg.tar.zst

Both can not work ;(

Downgrade openssl from 3.1.1 to 3.0.9 solved the problem, but it breaks many other things ....

Because this is a problem related to openssl, I dont think recompile wpa_supplicant can solved the problem (?)

Last edited by Hacksign (2023-06-12 10:54:56)

Offline

#31 2023-06-12 11:02:53

loqs
Member
Registered: 2014-03-06
Posts: 18,094

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

It is an intended change in OpenSSL 3.1 so not considered a bug in OpenSSL.  wpa_supplicant should be downgrading the OpenSSL security level as required.  I would suggest trying the latest commit from https://w1.fi/hostap.git if the issue is still present contact the hostap mailing list.

Offline

#32 2023-06-12 11:28:06

Hacksign
Member
Registered: 2012-07-30
Posts: 133

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

loqs wrote:

It is an intended change in OpenSSL 3.1 so not considered a bug in OpenSSL.  wpa_supplicant should be downgrading the OpenSSL security level as required.  I would suggest trying the latest commit from https://w1.fi/hostap.git if the issue is still present contact the hostap mailing list.

OK, thanks, I will try the mailing list ~

Offline

#33 2023-06-12 13:23:28

seth
Member
Registered: 2012-09-03
Posts: 59,216

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

In the meantime you could btw. also test the behavior w/ iwd instead of wpa_supplicant

Offline

#34 2023-06-13 04:18:33

loqs
Member
Registered: 2014-03-06
Posts: 18,094

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

I think it is possible using the existing code by adjusting the config based on https://w1.fi/cgit/hostap/commit/?id=58 … 360d4bb67f
TLS_CONN_ENABLE_TLSv1_0 is set when tls_disable_tlsv1_0=0 is set in the right place in the config similarly TLS_CONN_ENABLE_TLSv1_1 is set when tls_disable_tlsv1_1=0
Their use is covered in /usr/share/doc/wpa_supplicant/wpa_supplicant.conf but I am unclear where precisely they should go.

Offline

#35 2023-06-13 05:20:21

Hacksign
Member
Registered: 2012-07-30
Posts: 133

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

loqs wrote:

I think it is possible using the existing code by adjusting the config based on https://w1.fi/cgit/hostap/commit/?id=58 … 360d4bb67f
TLS_CONN_ENABLE_TLSv1_0 is set when tls_disable_tlsv1_0=0 is set in the right place in the config similarly TLS_CONN_ENABLE_TLSv1_1 is set when tls_disable_tlsv1_1=0
Their use is covered in /usr/share/doc/wpa_supplicant/wpa_supplicant.conf but I am unclear where precisely they should go.

tls_disable_tlsv1_0 as well as tls_disable_tlsv1_1 is parsed in src/eap_peer/eap_tls_common.c of wpa_supplicant:

        if (os_strstr(txt, "tls_disable_tlsv1_1=1"))
                params->flags |= TLS_CONN_DISABLE_TLSv1_1;
        if (os_strstr(txt, "tls_disable_tlsv1_1=0")) {
                params->flags &= ~TLS_CONN_DISABLE_TLSv1_1;
                params->flags |= TLS_CONN_ENABLE_TLSv1_1;
        }

The codes set parameter's flag with TLS_CONN_DISABLE_TLSv1_1, then this flag is checked in src/crypto/tls_openssl.c:

#ifdef SSL_OP_NO_TLSv1_1
        if (flags & TLS_CONN_DISABLE_TLSv1_1)
                SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);
        else
                SSL_clear_options(ssl, SSL_OP_NO_TLSv1_1);
#endif /* SSL_OP_NO_TLSv1_1 */

According to OpenSSL API document https://www.openssl.org/docs/man3.1/man … tions.html, I'm not sure the set option takes real effect under openssl 3.1.1:

SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2

    These options turn off the SSLv3, TLSv1, TLSv1.1, TLSv1.2 or TLSv1.3 protocol versions with TLS or the DTLSv1, DTLSv1.2 versions with DTLS, respectively. As of OpenSSL 1.1.0, these options are deprecated, use SSL_CTX_set_min_proto_version(3) and SSL_CTX_set_max_proto_version(3) instead.

How ever this patch https://w1.fi/cgit/hostap/commit/?id=58 … 360d4bb67f, the should work, theoretically ...
I'll try this patch latter ...

Last edited by Hacksign (2023-06-13 05:51:22)

Offline

#36 2023-06-13 10:05:03

Hacksign
Member
Registered: 2012-07-30
Posts: 133

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

I'm sure I found a perfect solution based on current wpa_supplicant version.
Here is the prove.

With 2 difference configuration file:

[root@XSignBlade ~]# diff /etc/wpa_supplicant/wpa_supplicant.conf /etc/wpa_supplicant/wpa_supplicant-wired-enp101s0f3u1u4.conf 
10a11
>   phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0"

Try to auth with wpa_supplicant, one failed with unsupported protocol, one succeed:

[root@XSignBlade ~]# wpa_supplicant -Dwired -i enp101s0f3u1u4 -c /etc/wpa_supplicant/wpa_supplicant.conf 
Successfully initialized wpa_supplicant
enp101s0f3u1u4: Associated with 01:80:c2:00:00:03
enp101s0f3u1u4: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
enp101s0f3u1u4: CTRL-EVENT-EAP-STARTED EAP authentication started
enp101s0f3u1u4: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
enp101s0f3u1u4: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
enp101s0f3u1u4: CTRL-EVENT-EAP-FAILURE EAP authentication failed
^Cenp101s0f3u1u4: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 locally_generated=1
enp101s0f3u1u4: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="" auth_failures=1 duration=10 reason=AUTH_FAILED
enp101s0f3u1u4: CTRL-EVENT-DSCP-POLICY clear_all
enp101s0f3u1u4: CTRL-EVENT-DSCP-POLICY clear_all
enp101s0f3u1u4: CTRL-EVENT-TERMINATING 
[root@XSignBlade ~]# wpa_supplicant -Dwired -i enp101s0f3u1u4 -c /etc/wpa_supplicant/wpa_supplicant-wired-enp101s0f3u1u4.conf 
Successfully initialized wpa_supplicant
enp101s0f3u1u4: Associated with 01:80:c2:00:00:03
enp101s0f3u1u4: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
enp101s0f3u1u4: CTRL-EVENT-EAP-STARTED EAP authentication started
enp101s0f3u1u4: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
enp101s0f3u1u4: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
enp101s0f3u1u4: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=my.company.domain.com' hash=123123123123123123123123123123123213123123
enp101s0f3u1u4: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:my.company.domain.com
enp101s0f3u1u4: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=my.company.domain.com' hash=123123123123123123123123123123123213123123
enp101s0f3u1u4: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:my.company.domain.com
enp101s0f3u1u4: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=my.company.domain.com' hash=123123123123123123123123123123123213123123
enp101s0f3u1u4: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:my.company.domain.com
EAP-MSCHAPV2: Authentication succeeded
EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
enp101s0f3u1u4: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
^Cenp101s0f3u1u4: CTRL-EVENT-DISCONNECTED bssid=01:80:c2:00:00:03 reason=3 locally_generated=1
enp101s0f3u1u4: CTRL-EVENT-DSCP-POLICY clear_all
enp101s0f3u1u4: CTRL-EVENT-DSCP-POLICY clear_all
enp101s0f3u1u4: CTRL-EVENT-TERMINATING

The succeed config file is:

[root@XSignBlade ~]# cat /etc/wpa_supplicant/wpa_supplicant-wired-enp101s0f3u1u4.conf 
ctrl_interface=/var/run/wpa_supplicant_new
network={
  key_mgmt=WPA-EAP
  
  # Credentials.
  # This example is only for password-based logins.
  identity="xxxxxxx"
  password="ooooooo"
  
  eap=PEAP
  phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0"
  phase2="auth=MSCHAPV2"
}

wpa_supplicant package information:

[root@XSignBlade ~]# md5sum /usr/bin/wpa_supplicant 
a3b9f6ae3192d5ee3a075efd4f305da1  /usr/bin/wpa_supplicant
[root@XSignBlade ~]# LC_ALL=C pacman -Qo /usr/bin/wpa_supplicant 
/usr/bin/wpa_supplicant is owned by wpa_supplicant 2:2.10-8

ONE MORE QUESTION:
I'm using NetworkManager to manage my network, networkmanager interactive with wpa_supplicant by DBUS message, my question is, how can I pass a configuration to wpa_supplicant with networkmanager ?

Offline

#37 2023-06-13 10:43:13

loqs
Member
Registered: 2014-03-06
Posts: 18,094

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Looking at https://gitlab.freedesktop.org/NetworkM … tags#L1385 I think there should be a NetworkManager setting to configure tls_disable_tlsv1_0 and tls_disable_tlsv1_1.

Offline

#38 2023-06-13 11:26:05

Hacksign
Member
Registered: 2012-07-30
Posts: 133

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

loqs wrote:

Looking at https://gitlab.freedesktop.org/NetworkM … tags#L1385 I think there should be a NetworkManager setting to configure tls_disable_tlsv1_0 and tls_disable_tlsv1_1.

Found it, it can be set by configuration file, I dont find GUI method to set it.

In /etc/NetworkManager/system-connections/, which need root privilege to access, there are many configurations end with '.nmconnection'.

[root@XSignBlade hacksign]# whoami
root
[root@XSignBlade hacksign]# ls /etc/NetworkManager/system-connections/
'My Home Wireless AP Name.nmconnection'  'Some Other Network I ever connected.nmconnection'  WiredNetwork.nmconnection

Find the one which you want lower TLS security level (it's WiredNetwork.nmconnection, by my example), under 802-1x section add phase1-auth-flags configuration:

[root@XSignBlade]# cat /etc/NetworkManager/system-connections/WiredNetwork.nmconnection 
......

[802-1x]
......
phase1-auth-flags=32
......

......

I believe there will be more and more people will got this error with new version of OpenSSL, so is any body can add the solution to ArchWiki ?

The solution is #36 floor for wpa_supplicant and #38 for NetworkManager of this thread wink

Last edited by Hacksign (2023-06-13 11:36:01)

Offline

#39 2023-06-13 11:39:23

Hacksign
Member
Registered: 2012-07-30
Posts: 133

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

The wpa_supplicant must have this patch (https://w1.fi/cgit/hostap/commit/?id=58 … 360d4bb67f), which has already patched in ArchLinux repository:

NetworkManager's version must above 1.41.5-dev

Offline

#40 2023-06-13 13:58:17

nikofunk
Member
Registered: 2017-01-28
Posts: 8

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Hacksign wrote:

The solution is #36 floor for wpa_supplicant and #38 for NetworkManager of this thread wink

I confirm this solution for NetworkManager. Thanks so much. However, IMHO this is clearly a bug that must be patched/automated for PEAP bindings.

Thanks all for the info.

Offline

#41 2023-06-13 22:03:13

loqs
Member
Registered: 2014-03-06
Posts: 18,094

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

nikofunk wrote:

However, IMHO this is clearly a bug that must be patched/automated for PEAP bindings.

https://bugs.archlinux.org/task/78770
I would suggest contacting upstream wpa_supplicant to see if automation is still possible with OpenSSL 3.1.

Last edited by loqs (2023-06-19 14:37:51)

Offline

#42 2023-06-19 08:47:58

kustodian
Member
Registered: 2020-06-26
Posts: 4

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

What is the proper workaround for this? For example is there a way to change some config? I downgraded the `openssl` package (and I'm ignoring it during upgrades), but many packages depend on it. For example, the latest `openssh` doesn't work without the latest `openssl`, so I had to downgrade SSH. Who knows what else will stop working... We need a long-term solution until wpa_suplicant is fixed upstream, because who knows when that will happen.

BTW, the bug on the Arch Linux side is https://bugs.archlinux.org/task/78770

Offline

#43 2023-06-19 11:50:26

seth
Member
Registered: 2012-09-03
Posts: 59,216

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

https://bbs.archlinux.org/viewtopic.php … 9#p2104709

The solution is #36 floor for wpa_supplicant and #38 for NetworkManager of this thread

Offline

#44 2023-06-19 11:57:32

kustodian
Member
Registered: 2020-06-26
Posts: 4

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Thanks and sorry. I saw the wpa_suplicant workaround, but that wasn't useful to me, but I somehow missed the NetworkManager one. It's important to note that if you configure NetworkManager connections via some UI, if the UI doesn't support passing custom parameters, this workaround would get overwritten.

Offline

#45 2023-06-23 11:05:45

FlashNoob98
Member
Registered: 2022-05-20
Posts: 3

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Hacksign wrote:
loqs wrote:

Looking at https://gitlab.freedesktop.org/NetworkM … tags#L1385 I think there should be a NetworkManager setting to configure tls_disable_tlsv1_0 and tls_disable_tlsv1_1.

Found it, it can be set by configuration file, I dont find GUI method to set it.

In /etc/NetworkManager/system-connections/, which need root privilege to access, there are many configurations end with '.nmconnection'.

[root@XSignBlade]# cat /etc/NetworkManager/system-connections/WiredNetwork.nmconnection 
......

[802-1x]
......
phase1-auth-flags=32
......

......

I had the same problem too, probably after the openssl update and this solved for me, thank you so much.
I would add the tag "eduroam" and "wifi unina" cause I got this problem on my university WLAN

Offline

#46 2023-06-27 16:32:20

rodaz143
Member
Registered: 2013-07-24
Posts: 95
Website

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Adding the

phase1-auth-flags=32

line to my NetworkManager config file worked for me as well as a (hopefully temporary) workaround, though it seems to be a bit finicky, and doesn't actually work unless I run

nmcli connection up eduroam

from the command line. Trying to connect using the Xfce NetworkManager applet still fails.

Offline

#47 2023-10-18 21:40:21

knedlyk
Member
From: L'viv, Ukraine
Registered: 2009-04-14
Posts: 163
Website

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

Solution in the post #20 works well for me.

Last edited by knedlyk (2023-10-18 21:40:45)

Offline

#48 2024-03-19 20:13:48

kritonios
Member
Registered: 2024-03-19
Posts: 1

Re: [SOLV] After upgrade to OpenSSL 3.1.1 WPA2 Enterprise Wifi Auth broken

I was trying to connect to my university's wifi. So...

Based on #36 what worked for me is:

ctrl_interface=/var/run/wpa_supplicant_new
#ctrl_interface_group=wheel
network={
  ssid="eduroam"
  scan_ssid=1
  key_mgmt=WPA-EAP
  
  # Credentials.
  # This example is only for password-based logins.
  identity="..."
  password="..."

  
  eap=TTLS
  auth_alg=OPEN
  phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0"
  phase2="autheap=PAP"
}

and then for some reason everything in /etc/resolv.conf was deleted, so I had to write in that file:

nameserver 1.1.1.1

because without it the connection appeared as 'limited'

Offline

Board footer

Powered by FluxBB