[Bug 1026807] New: TLS: Unsupported Phase2 EAP method 'mschapv2'
http://bugzilla.suse.com/show_bug.cgi?id=1026807 Bug ID: 1026807 Summary: TLS: Unsupported Phase2 EAP method 'mschapv2' Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: bnc-team-screening@forge.provo.novell.com Reporter: nadvornik@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 715406 --> http://bugzilla.suse.com/attachment.cgi?id=715406&action=edit /etc/sysconfig/network/ifcfg-wlan0 I have wifi configured using wicked and legacy configuration in /etc/sysconfig/network/ifcfg-wlan0. I have updated to current tumbleweed after several months and this configuration stopped working. I got this error in /var/log/wpa_supplicant.log: wlan0: Associated with 84:d4:7e:e0:78:10 wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 TLS: Unsupported Phase2 EAP method 'mschapv2' wlan0: EAP: Failed to initialize EAP method: vendor 0 method 25 (PEAP) wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 EAP-TLS: Private key not configured wlan0: EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS) After downgrade to wpa_supplicant-2.5 it works again. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 Chenzi Cao <chcao@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bnc-team-screening@forge.pr |meissner@suse.com |ovo.novell.com | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c1 Srinidhi B S <srinidhi.bs@microfocus.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |srinidhi.bs@microfocus.com --- Comment #1 from Srinidhi B S <srinidhi.bs@microfocus.com> --- Even I'm facing this on Raspberry Pi (2 and 3 B+): * Pi 2 is running Tumbleweed * Pi 3 B+ is running Leap 15 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c2 Karol Babioch <kbabioch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kbabioch@suse.com, | |nadvornik@suse.com Flags| |needinfo?(nadvornik@suse.co | |m) --- Comment #2 from Karol Babioch <kbabioch@suse.com> --- Trying to get this fixed. Couldn't yet reproduce it, but will try to do so. Could someone that is affected by this try to run wpa_supplicant directly (without any other network management on top, e.g. no wicket and/or NetworkManager). Such an issue has already been discussed in the past [1]. The solution [2] seems to be to use "MSCHAPV2" as method, as this is case-sensitive. [1]: http://lists.infradead.org/pipermail/hostap/2009-July/020026.html [2]: http://lists.infradead.org/pipermail/hostap/2009-August/020133.html -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c3 Karol Babioch <kbabioch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(srinidhi.bs@micro | |focus.com) --- Comment #3 from Karol Babioch <kbabioch@suse.com> --- Pretty sure this is related to this commit: https://w1.fi/cgit/hostap/commit/?id=f24e48861d50b6b6fc5681f75d4aa7514486285... Basically mschapv2 was interpreted as mschap (v1) beforehand, which no longer works. We probably need to fix the templating in wicked, but is is actually not related to wpa_supplicant (I assume). This is the relevant commit message:
EAP-TTLS peer: Fix parsing auth= and autheap= phase2 params
This patch fixes an issue with an invalid phase2 parameter value auth=MSCHAPv2 getting interpreted as auth=MSCHAP (v1) which could degrade security (though, only within a protected TLS tunnel). Now when invalid or unsupported auth= phase2 parameter combinations are specified, EAP-TTLS initialization throws an error instead of silently doing something.
More then one auth= phase2 type cannot be specified and also both auth= and autheap= options cannot be specified.
Parsing phase2 type is case sensitive (as in other EAP parts), so phase2 parameter auth=MSCHAPv2 is invalid. Only auth=MSCHAPV2 is correct.
Signed-off-by: Pali Rohár <pali.rohar@gmail.com> [Use cstr_token() to get rid of unnecessary allocation; cleanup] Signed-off-by: Jouni Malinen <j@w1.fi>
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 Karol Babioch <kbabioch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|meissner@suse.com |wicked-maintainers@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c4 --- Comment #4 from Karol Babioch <kbabioch@suse.com> --- I've reported this bug upstream: https://github.com/openSUSE/wicked/issues/777 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 Rubén Torrero Marijnissen <rtorreromarijnissen@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High CC| |rtorreromarijnissen@suse.co | |m -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c5 --- Comment #5 from Karol Babioch <kbabioch@suse.com> --- Bug 934075 (bsc#934075) might be related in that it also is about wrong translations between wicked / YaST and wpa_supplicant. Seems to be rather messy and not very robust. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c6 Marius Tomaschewski <mt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mt@suse.com --- Comment #6 from Marius Tomaschewski <mt@suse.com> --- A fix for this issue is in https://github.com/openSUSE/wicked/pull/780, please give it a test, test RPMs are at: http://download.opensuse.org/repositories/network:/wicked:/testing/ -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c7 --- Comment #7 from Swamp Workflow Management <swamp@suse.de> --- This is an autogenerated message for OBS integration: This bug (1026807) was mentioned in https://build.opensuse.org/request/show/644846 Factory / wicked -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:9270:moderate -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c10 Karol Babioch <kbabioch@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #10 from Karol Babioch <kbabioch@suse.com> --- Has been fixed with latest version of wicked. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:9270:moderate |ibs:running:9270:moderate | |ibs:running:9429:moderate | |ibs:running:9427:moderate | |ibs:running:9430:moderate -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 Andreas Taschner <andreas.taschner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andreas.taschner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c12 --- Comment #12 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2018:4095-1: An update that has 8 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1026807,1084527,1085786,1095818,1102871,1107579,1109147,972463 CVE References: Sources used: SUSE Linux Enterprise Module for Basesystem 15 (src): wicked-0.6.52-3.5.2 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:9270:moderate |ibs:running:9270:moderate |ibs:running:9429:moderate |ibs:running:9429:moderate |ibs:running:9427:moderate |ibs:running:9430:moderate |ibs:running:9430:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c13 --- Comment #13 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-RU-2018:4116-1: An update that has 8 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1026807,1084527,1085786,1095818,1102871,1107579,1109147,972463 CVE References: Sources used: openSUSE Leap 15.0 (src): wicked-0.6.52-lp150.2.3.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c14 --- Comment #14 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2018:4224-1: An update that has two recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1026807,1107579 CVE References: Sources used: SUSE Linux Enterprise Server 12-SP4 (src): wicked-0.6.52-2.5.1 SUSE Linux Enterprise Desktop 12-SP4 (src): wicked-0.6.52-2.5.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:9270:moderate |ibs:running:9270:moderate |ibs:running:9429:moderate |ibs:running:9430:moderate |ibs:running:9430:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c15 --- Comment #15 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2019:0168-1: An update that has 20 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1022872,1026807,1027099,1036675,1057007,1061051,1069468,1072343,1078245,1083670,1084462,1084527,1085020,1085786,1095818,1102871,1107579,1109147,954758,972463 CVE References: Sources used: SUSE Linux Enterprise Server 12-SP3 (src): wicked-0.6.52-38.13.1 SUSE Linux Enterprise Desktop 12-SP3 (src): wicked-0.6.52-38.13.1 SUSE CaaS Platform ALL (src): wicked-0.6.52-38.13.1 SUSE CaaS Platform 3.0 (src): wicked-0.6.52-38.13.1 OpenStack Cloud Magnum Orchestration 7 (src): wicked-0.6.52-38.13.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c16 --- Comment #16 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-RU-2019:0121-1: An update that has 20 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1022872,1026807,1027099,1036675,1057007,1061051,1069468,1072343,1078245,1083670,1084462,1084527,1085020,1085786,1095818,1102871,1107579,1109147,954758,972463 CVE References: Sources used: openSUSE Leap 42.3 (src): wicked-0.6.52-12.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c17 --- Comment #17 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2019:0452-1: An update that has 20 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1022872,1026807,1027099,1036675,1057007,1061051,1069468,1072343,1078245,1083670,1084462,1084527,1085020,1085786,1095818,1102871,1107579,1109147,954758,972463 CVE References: Sources used: SUSE Linux Enterprise Server 12-SP1-LTSS (src): wicked-0.6.52-28.14.1 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:9270:moderate | |ibs:running:9430:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c18 --- Comment #18 from Swamp Workflow Management <swamp@suse.de> --- SUSE-RU-2019:0452-2: An update that has 20 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1022872,1026807,1027099,1036675,1057007,1061051,1069468,1072343,1078245,1083670,1084462,1084527,1085020,1085786,1095818,1102871,1107579,1109147,954758,972463 CVE References: Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): wicked-0.6.52-28.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com