[Bug 532810] New: knm4 fails to connect to wpa eap if the supplied certificates are not trusted (self-signed)
http://bugzilla.novell.com/show_bug.cgi?id=532810 Summary: knm4 fails to connect to wpa eap if the supplied certificates are not trusted (self-signed) Classification: openSUSE Product: openSUSE 11.2 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: KDE4 Applications AssignedTo: kde-maintainers@suse.de ReportedBy: sven.burmeister@gmx.net QAContact: qa@suse.de Found By: --- Created an attachment (id=314246) --> (http://bugzilla.novell.com/attachment.cgi?id=314246) certificate chain User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.1.2) Gecko/20090730 SUSE/3.5.2-2.4 Firefox/3.5.2 If one uses a certificate-chain, such as the one attached, knm4 fails to connect. wpa_supplicant log shows: Trying to associate with 00:23:eb:0c:26:b0 (SSID='eduroam' freq=2412 MHz) Association request to the driver failed CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys Associated with 00:23:eb:0c:26:b0 CTRL-EVENT-EAP-STARTED EAP authentication started CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 3 for '/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2' SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed CTRL-EVENT-EAP-FAILURE EAP authentication failed If one installs the Deutsche Telekom certificate into /etc/ssl/certs, it works. Expected behaviour, if the user supplies a certificate chain, trust it. If this is not a knm4 but NetworkManager or openssl/wpa_supplicant issue, please re-assign. Reproducible: Always -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=532810
Lubos Lunak
http://bugzilla.novell.com/show_bug.cgi?id=532810
User sven.burmeister@gmx.net added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c1
Sven Burmeister
http://bugzilla.novell.com/show_bug.cgi?id=532810
Stephan Binner
http://bugzilla.novell.com/show_bug.cgi?id=532810
User tambet@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c2
Tambet Ingo
http://bugzilla.novell.com/show_bug.cgi?id=532810
User sven.burmeister@gmx.net added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c3
--- Comment #3 from Sven Burmeister
http://bugzilla.novell.com/show_bug.cgi?id=532810
shuang qiu
http://bugzilla.novell.com/show_bug.cgi?id=532810
Will Stephenson
http://bugzilla.novell.com/show_bug.cgi?id=532810
User sven.burmeister@gmx.net added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c4
Sven Burmeister
http://bugzilla.novell.com/show_bug.cgi?id=532810
User wstephenson@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c5
--- Comment #5 from Will Stephenson
http://bugzilla.novell.com/show_bug.cgi?id=532810
User sven.burmeister@gmx.net added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c6
Sven Burmeister
http://bugzilla.novell.com/show_bug.cgi?id=532810
User tambet@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c7
Tambet Ingo
http://bugzilla.novell.com/show_bug.cgi?id=532810
User sven.burmeister@gmx.net added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c8
--- Comment #8 from Sven Burmeister
The problem is that NetworkManager does not support CA files with more than one certificate, it uses the first certificate in it and sends that to wpa_supplicant (NM asks crypto libraries to parse files, and these return one).
There are two ways for providing certificates to wpa_supplicant from NM:
1. By file name. NM reads the certificate and sends it as a blob of binary data. wpa_supplicant accepts exactly one certificate in this method.
Are you sure? The following config file works: --- /etc/wpa_supplicant.conf network={ ssid="eduroam" key_mgmt=WPA-EAP eap=TTLS identity="username@domain.com" anonymous_identity="anonamous@domain.com" password="XXX" ca_cert="/etc/certs/chain.pem" phase2="auth=PAP" } --- EOF --- so if wpa_supplicant can handle it, why does NM fail to do so? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=532810
User tambet@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c9
--- Comment #9 from Tambet Ingo
http://bugzilla.novell.com/show_bug.cgi?id=532810
User sven.burmeister@gmx.net added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c10
--- Comment #10 from Sven Burmeister
Of course, CAs are not such secrets, but all certificates are handled the same way.
Exactly this is the bug, i.e. handling everything the same way. These certificates are publicly accessible. Further, the user explicitly selected, i.e. trusts that certificate chain and NM should obey the user and not the other way around. Currently NM forces the "normal" user to know how to install certificates or connect without them. I claim that the "normal" user does not even know where to put certificates. As a result, the current NM behaviour does not increase but decrease security for users that are not familiar with the installation of certificates, apart from usability issues of easing network access. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=532810
User tambet@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c11
--- Comment #11 from Tambet Ingo
http://bugzilla.novell.com/show_bug.cgi?id=532810
User sven.burmeister@gmx.net added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c12
--- Comment #12 from Sven Burmeister
http://bugzilla.novell.com/show_bug.cgi?id=532810
User tambet@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c13
--- Comment #13 from Tambet Ingo
http://bugzilla.novell.com/show_bug.cgi?id=532810
User tambet@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c14
--- Comment #14 from Tambet Ingo
http://bugzilla.novell.com/show_bug.cgi?id=532810
User sven.burmeister@gmx.net added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c15
--- Comment #15 from Sven Burmeister
http://bugzilla.novell.com/show_bug.cgi?id=532810
User tambet@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c16
--- Comment #16 from Tambet Ingo
http://bugzilla.novell.com/show_bug.cgi?id=532810
User sven.burmeister@gmx.net added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c17
Sven Burmeister
http://bugzilla.novell.com/show_bug.cgi?id=532810
User tambet@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c18
--- Comment #18 from Tambet Ingo
I do not argue with you, you already stated that you will not put any resources into easing this.
I'm sorry, but I do not work on NetworkManager anymore. I'd like to, but it's not my decision.
Further, creating the profile is not an issue, so I'm not sure why you try to use it to defend your point.
I'm not defending any points, I'm trying to help you how to solve your issue without programming that noone will do for now. Feel free to ignore it.
This bug however is only about the handling of the certificates. That process does not require any knowledge of the whereabouts on Windows, while it does on
You brought it up in comment #12. I told you exactly how this can be achieved, with zero configuration.
Linux because NM thinks it is smarter than the user and overrules his decision.
How does NM think it's smarter than anything and overrule anything? It's a missing feature in NM (my comment #11). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=532810
User sven.burmeister@gmx.net added comment
http://bugzilla.novell.com/show_bug.cgi?id=532810#c19
Sven Burmeister
participants (1)
-
bugzilla_noreply@novell.com