Public bug reported:

Ubuntu release: 26.04 LTS
Packages: network-manager, wpasupplicant (versions attached by apport)

Summary
-------
When an 802.1X (WPA-Enterprise) connection profile references a PEM file
containing multiple CA certificates via 802-1x.ca-cert, NetworkManager passes
the file content to wpa_supplicant over D-Bus as a blob. wpa_supplicant then
loads only the FIRST certificate of the blob into its OpenSSL trust store and
silently ignores the rest. Server certificate verification therefore fails
whenever the RADIUS server's chain is anchored in any certificate other than
the first one in the file.

This breaks the official eduroam CAT installers (cat.eduroam.org), which
deliberately ship a ca.pem containing several roots/intermediates to support
CA migrations. Real-world impact: TU Berlin switched its RADIUS server
certificate from a Telekom-issued to a HARICA-issued one on 2026-06-22. The
CAT ca.pem contains both chains (5 certificates; the old Telekom root happens
to be first), so all Ubuntu clients configured via CAT stopped connecting to
eduroam, and re-running the installer does not help. Other institutions
performing the same DFN-PKI -> HARICA/GEANT migration will be affected
identically.

Steps to reproduce
------------------
1. Create an 802.1X (PEAP/MSCHAPv2) Wi-Fi profile whose 802-1x.ca-cert points
   to a PEM file with multiple CA certificates, where the CA actually needed
   to verify the server is NOT the first certificate in the file
   (e.g. the ca.pem produced by the eduroam CAT installer for TU Berlin).
2. Attempt to connect.

Expected result
---------------
All certificates in the file are added to the trust store (as OpenSSL's
SSL_CTX_load_verify_locations would do for a path), and the connection
succeeds.

Actual result
-------------
Verification fails and NetworkManager repeatedly re-prompts for the password.
wpa_supplicant debug log shows:

  OpenSSL: tls_connection_ca_cert - added ca_cert_blob to certificate store
  TLS: Certificate verification failed, error 19 (self-signed certificate in
    certificate chain) depth 2 for '/C=GR/O=Hellenic Academic and Research
    Institutions CA/CN=HARICA TLS RSA Root CA 2021'
  wlp0s20f3: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=2 subject='...
    CN=HARICA TLS RSA Root CA 2021' err='self-signed certificate in
    certificate chain'
  SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA

The HARICA root named in the error IS present in the referenced ca.pem
(verified with `openssl storeutl`), and the RADIUS server sends a complete
chain. Only the first certificate of the file (T-TeleSec GlobalRoot Class 2)
is effectively trusted.

Workaround
----------
Point 802-1x.ca-cert at a file containing only the required root:
  nmcli connection modify eduroam 802-1x.ca-cert /path/to/harica-root-only.pem
After this the connection succeeds with full validation.

Notes
-----
The bug is in the interaction between NetworkManager's blob transfer and
wpa_supplicant's ca_cert_blob handling (single-certificate parse); it may
need fixing in either or both packages. Full wpa_supplicant debug log
available on request.

ProblemType: Bug
DistroRelease: Ubuntu 26.04
Package: network-manager 1.54.3-2ubuntu3
ProcVersionSignature: Ubuntu 7.0.0-22.22-generic 7.0.0
Uname: Linux 7.0.0-22-generic x86_64
ApportVersion: 2.34.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Thu Jul  2 18:00:44 2026
InstallationDate: Installed on 2025-07-08 (359 days ago)
InstallationMedia: Ubuntu 24.04.1 LTS "Noble Numbat" - Release amd64 
(20240827.1)
IpRoute:
 default via 141.23.192.1 dev wlp0s20f3 proto dhcp src 141.23.214.121 metric 
600 
 141.23.192.0/19 dev wlp0s20f3 proto kernel scope link src 141.23.214.121 
metric 600 
 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
SourcePackage: network-manager
UpgradeStatus: Upgraded to resolute on 2026-06-11 (21 days ago)
nmcli-nm:
 RUNNING  VERSION  STATE      STARTUP  CONNECTIVITY  NETWORKING  WIFI-HW  WIFI  
   WWAN-HW  WWAN      METERED      
 running  1.54.3   connected  started  full          enabled     enabled  
enabled  missing  disabled  no (guessed)

** Affects: network-manager (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug resolute wayland-session

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2158990

Title:
  802.1X: only the first certificate of a multi-certificate ca-cert PEM
  file is loaded when NM passes it to wpa_supplicant as a blob — breaks
  eduroam CAT profiles

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/2158990/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to