Bug#1011121: Info received (Bug#1011121: wpasupplicant linked with libssl3 can't connect to wifi (both MSCHAPv2 and WPA))
Hey there, As a FYI I started a discussion upstream to suggest to lower the security level to 0 for TLS <= 1.1, a patch has been proposed which I uploaded to Ubuntu kinetic now to get some more user testing on the solution http://lists.infradead.org/pipermail/hostap/2022-May/040571.html I will keep the Debian bug updated once the package in ubuntu got some testing
Bug#1011121: wpasupplicant linked with libssl3 can't connect to wifi (both MSCHAPv2 and WPA)
Hey, Le 17/05/2022 à 11:25, Andrej Shadura a écrit : Interesting. I thought the patch from Ubuntu should have prevented this from happening. Sebastien, what do you think? No, the patch which was included in -9 fixes the case where the error was OpenSSL: openssl_handshake - SSL_connect error:...:SSL routines::unsafe legacy renegotiation disabled here it is OpenSSL: openssl_handshake - SSL_connect error:0A0C0103:SSL routines::internal error Which seems similar to https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1958267 , relevant description 'check whether your radius server possibly only supports TLS 1.1 or older. Those servers would default to rsa_pkcs1_md5_sha1 as TLS signature algorithm, which does not meet the 80 bits of security requirement of OpenSSL 3's default SECLEVEL of 1. Try setting SECLEVEL to 0 to see if that fixes the issue for you. Talk to your Radius server administrator to recommend they offer TLS 1.2 or higher.' You can try to workaround by creating a /etc/wpa_supplicant/openssl.cnf config with DEFAULT@SECLEVEL=0 as described on the launchpad report It was also discussed on https://bugzilla.redhat.com/show_bug.cgi?id=2069239 and fedora fixed it with this openssl change https://src.fedoraproject.org/rpms/openssl/c/efdb8c60 Cheers, Sebastien Bacher
Bug#1011121: wpasupplicant linked with libssl3 can't connect to wifi (both MSCHAPv2 and WPA)
Hi, On Tue, 17 May 2022, at 11:02, Krzysztof Krzyżaniak wrote: >* What led up to the situation? > > Upgrade to 2:2.10-9+b1 which is linked to libssl3 > >* What exactly did you do (or not do) that was effective (or > ineffective)? > > Downgrading to 2:2.10-9 resolves problem. Interesting. I thought the patch from Ubuntu should have prevented this from happening. Sebastien, what do you think? > Session with 2:2.10-9+b1 > > May 17 09:53:09 pozdl0510 wpa_supplicant[941]: wlp0s20f3: SME: Trying > to authenticate with f0:3e:90:6f:54:dc (SSID='egn_secure' freq=5500 MHz) > May 17 09:53:09 pozdl0510 wpa_supplicant[941]: wlp0s20f3: Trying to > associate with f0:3e:90:6f:54:dc (SSID='egn_secure' freq=5500 MHz) > May 17 09:53:09 pozdl0510 wpa_supplicant[941]: wlp0s20f3: Associated > with f0:3e:90:6f:54:dc > May 17 09:53:09 pozdl0510 wpa_supplicant[941]: wlp0s20f3: > CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 > May 17 09:53:09 pozdl0510 wpa_supplicant[941]: wlp0s20f3: > CTRL-EVENT-EAP-STARTED EAP authentication started > May 17 09:53:09 pozdl0510 wpa_supplicant[941]: wlp0s20f3: > CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 > May 17 09:53:09 pozdl0510 wpa_supplicant[941]: wlp0s20f3: > CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected > May 17 09:53:10 pozdl0510 wpa_supplicant[941]: wlp0s20f3: > CTRL-EVENT-EAP-PEER-CERT depth=1 > subject='/DC=com/DC=egnyte-it/CN=egnyte-it-AM2VS26-CA' > hash=38d8e01ab059517cbca34030017a6e683618f0b38b85c9d7432bc9618c81e939 > May 17 09:53:10 pozdl0510 wpa_supplicant[941]: wlp0s20f3: > CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=EG-AD01.egnyte-it.com' > hash=c17a8bb4e155b57a710ff8a4970d0c29e0cce1501a843da21ee826b3f499812a > May 17 09:53:10 pozdl0510 wpa_supplicant[941]: wlp0s20f3: > CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:EG-AD01.egnyte-it.com > May 17 09:53:10 pozdl0510 wpa_supplicant[941]: SSL: SSL3 alert: write > (local SSL3 detected an error):fatal:internal error > May 17 09:53:10 pozdl0510 wpa_supplicant[941]: OpenSSL: > openssl_handshake - SSL_connect error:0A0C0103:SSL routines::internal > error > May 17 09:53:10 pozdl0510 wpa_supplicant[941]: wlp0s20f3: > CTRL-EVENT-EAP-FAILURE EAP authentication failed > May 17 09:53:10 pozdl0510 wpa_supplicant[941]: wlp0s20f3: > CTRL-EVENT-DISCONNECTED bssid=f0:3e:90:6f:54:dc reason=23 > May 17 09:53:10 pozdl0510 wpa_supplicant[941]: wlp0s20f3: > CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="egn_secure" auth_failures=1 > duration=10 reason=AUTH_FAILED <…> > Versions of packages wpasupplicant depends on: > ii adduser3.121 > ii libc6 2.33-7 > ii libdbus-1-31.14.0-1 > ii libnl-3-2003.5.0-0.1 > ii libnl-genl-3-200 3.5.0-0.1 > ii libnl-route-3-200 3.5.0-0.1 > ii libpcsclite1 1.9.7-1 > ii libreadline8 8.1.2-1.2 > ii libssl1.1 1.1.1o-1 > ii lsb-base 11.1.0 > > wpasupplicant recommends no packages. > > Versions of packages wpasupplicant suggests: > pn libengine-pkcs11-openssl > pn wpagui > > -- no debconf information -- Cheers, Andrej
Bug#1011121: wpasupplicant linked with libssl3 can't connect to wifi (both MSCHAPv2 and WPA)
Package: wpasupplicant Version: 2:2.10-9+b1 Severity: important Dear Maintainer, * What led up to the situation? Upgrade to 2:2.10-9+b1 which is linked to libssl3 * What exactly did you do (or not do) that was effective (or ineffective)? Downgrading to 2:2.10-9 resolves problem. Session with 2:2.10-9+b1 May 17 09:53:09 pozdl0510 wpa_supplicant[941]: wlp0s20f3: SME: Trying to authenticate with f0:3e:90:6f:54:dc (SSID='egn_secure' freq=5500 MHz) May 17 09:53:09 pozdl0510 wpa_supplicant[941]: wlp0s20f3: Trying to associate with f0:3e:90:6f:54:dc (SSID='egn_secure' freq=5500 MHz) May 17 09:53:09 pozdl0510 wpa_supplicant[941]: wlp0s20f3: Associated with f0:3e:90:6f:54:dc May 17 09:53:09 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 May 17 09:53:09 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-EAP-STARTED EAP authentication started May 17 09:53:09 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 May 17 09:53:09 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected May 17 09:53:10 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/DC=com/DC=egnyte-it/CN=egnyte-it-AM2VS26-CA' hash=38d8e01ab059517cbca34030017a6e683618f0b38b85c9d7432bc9618c81e939 May 17 09:53:10 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=EG-AD01.egnyte-it.com' hash=c17a8bb4e155b57a710ff8a4970d0c29e0cce1501a843da21ee826b3f499812a May 17 09:53:10 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:EG-AD01.egnyte-it.com May 17 09:53:10 pozdl0510 wpa_supplicant[941]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error May 17 09:53:10 pozdl0510 wpa_supplicant[941]: OpenSSL: openssl_handshake - SSL_connect error:0A0C0103:SSL routines::internal error May 17 09:53:10 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-EAP-FAILURE EAP authentication failed May 17 09:53:10 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-DISCONNECTED bssid=f0:3e:90:6f:54:dc reason=23 May 17 09:53:10 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="egn_secure" auth_failures=1 duration=10 reason=AUTH_FAILED May 17 09:53:10 pozdl0510 wpa_supplicant[941]: BSSID f0:3e:90:6f:54:dc ignore list count incremented to 2, ignoring for 10 seconds May 17 09:53:10 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="egn_secure" auth_failures=2 duration=25 reason=CONN_FAILED May 17 09:53:34 pozdl0510 wpa_supplicant[941]: wlp0s20f3: SME: Trying to authenticate with f0:3e:90:6f:54:dc (SSID='egn_secure' freq=5500 MHz) May 17 09:53:34 pozdl0510 wpa_supplicant[941]: wlp0s20f3: Trying to associate with f0:3e:90:6f:54:dc (SSID='egn_secure' freq=5500 MHz) May 17 09:53:34 pozdl0510 wpa_supplicant[941]: wlp0s20f3: Associated with f0:3e:90:6f:54:dc May 17 09:53:34 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 May 17 09:53:34 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-EAP-STARTED EAP authentication started May 17 09:53:34 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 May 17 09:53:34 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected May 17 09:53:35 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/DC=com/DC=egnyte-it/CN=egnyte-it-AM2VS26-CA' hash=38d8e01ab059517cbca34030017a6e683618f0b38b85c9d7432bc9618c81e939 May 17 09:53:35 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=EG-AD01.egnyte-it.com' hash=c17a8bb4e155b57a710ff8a4970d0c29e0cce1501a843da21ee826b3f499812a May 17 09:53:35 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:EG-AD01.egnyte-it.com May 17 09:53:35 pozdl0510 wpa_supplicant[941]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error May 17 09:53:35 pozdl0510 wpa_supplicant[941]: OpenSSL: openssl_handshake - SSL_connect error:0A0C0103:SSL routines::internal error May 17 09:53:35 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-EAP-FAILURE EAP authentication failed May 17 09:53:35 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-DISCONNECTED bssid=f0:3e:90:6f:54:dc reason=23 May 17 09:53:35 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="egn_secure" auth_failures=1 duration=10 reason=AUTH_FAILED May 17 09:53:35 pozdl0510 wpa_supplicant[941]: BSSID f0:3e:90:6f:54:dc ignore list count incremented to 2, ignoring for 10 seconds May 17 09:53:35 pozdl0510 wpa_supplicant[941]: wlp0s20f3: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="egn_secure" auth_failures=2 duration=22 reason=CONN_FAILED Session with 2:2.10-9 May 17 09:56:00 pozdl0510 wpa_supplicant[9921]: Successfully initialized