[Bug 1026807] New: TLS: Unsupported Phase2 EAP method 'mschapv2'

older
[Bug 1106369] oops when reading...

bugzilla_noreply＠novell.com

24 Feb 2017 24 Feb '17

10:56

http://bugzilla.suse.com/show_bug.cgi?id=1026807 Bug ID: 1026807 Summary: TLS: Unsupported Phase2 EAP method 'mschapv2' Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: bnc-team-screening@forge.provo.novell.com Reporter: nadvornik@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 715406 --> http://bugzilla.suse.com/attachment.cgi?id=715406&action=edit /etc/sysconfig/network/ifcfg-wlan0 I have wifi configured using wicked and legacy configuration in /etc/sysconfig/network/ifcfg-wlan0. I have updated to current tumbleweed after several months and this configuration stopped working. I got this error in /var/log/wpa_supplicant.log: wlan0: Associated with 84:d4:7e:e0:78:10 wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 TLS: Unsupported Phase2 EAP method 'mschapv2' wlan0: EAP: Failed to initialize EAP method: vendor 0 method 25 (PEAP) wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 EAP-TLS: Private key not configured wlan0: EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS) After downgrade to wpa_supplicant-2.5 it works again. -- You are receiving this mail because: You are on the CC list for the bug.

Attachments:

attachment.htm (text/html — 3.1 KB)

Show replies by date

bugzilla_noreply＠novell.com

9 Mar 9 Mar

08:07

New subject: [Bug 1026807] TLS: Unsupported Phase2 EAP method 'mschapv2'

http://bugzilla.suse.com/show_bug.cgi?id=1026807 Chenzi Cao changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bnc-team-screening@forge.pr |meissner@suse.com |ovo.novell.com | -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

1 Sep 1 Sep

11:06

New subject: [Bug 1026807] TLS: Unsupported Phase2 EAP method 'mschapv2'

http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c1 Srinidhi B S changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |srinidhi.bs@microfocus.com --- Comment #1 from Srinidhi B S --- Even I'm facing this on Raspberry Pi (2 and 3 B+): * Pi 2 is running Tumbleweed * Pi 3 B+ is running Leap 15 -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

9 Oct 9 Oct

11:20

New subject: [Bug 1026807] TLS: Unsupported Phase2 EAP method 'mschapv2'

http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c2 Karol Babioch changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kbabioch@suse.com, | |nadvornik@suse.com Flags| |needinfo?(nadvornik@suse.co | |m) --- Comment #2 from Karol Babioch --- Trying to get this fixed. Couldn't yet reproduce it, but will try to do so. Could someone that is affected by this try to run wpa_supplicant directly (without any other network management on top, e.g. no wicket and/or NetworkManager). Such an issue has already been discussed in the past [1]. The solution [2] seems to be to use "MSCHAPV2" as method, as this is case-sensitive. [1]: http://lists.infradead.org/pipermail/hostap/2009-July/020026.html [2]: http://lists.infradead.org/pipermail/hostap/2009-August/020133.html -- You are receiving this mail because: You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11:30

New subject: [Bug 1026807] TLS: Unsupported Phase2 EAP method 'mschapv2'

http://bugzilla.suse.com/show_bug.cgi?id=1026807 http://bugzilla.suse.com/show_bug.cgi?id=1026807#c3 Karol Babioch changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(srinidhi.bs@micro | |focus.com) --- Comment #3 from Karol Babioch --- Pretty sure this is related to this commit: https://w1.fi/cgit/hostap/commit/?id=f24e48861d50b6b6fc5681f75d4aa7514486285... Basically mschapv2 was interpreted as mschap (v1) beforehand, which no longer works. We probably need to fix the templating in wicked, but is is actually not related to wpa_supplicant (I assume). This is the relevant commit message:

...

EAP-TTLS peer: Fix parsing auth= and autheap= phase2 params

This patch fixes an issue with an invalid phase2 parameter value auth=MSCHAPv2 getting interpreted as auth=MSCHAP (v1) which could degrade security (though, only within a protected TLS tunnel). Now when invalid or unsupported auth= phase2 parameter combinations are specified, EAP-TTLS initialization throws an error instead of silently doing something.

More then one auth= phase2 type cannot be specified and also both auth= and autheap= options cannot be specified.

Parsing phase2 type is case sensitive (as in other EAP parts), so phase2 parameter auth=MSCHAPv2 is invalid. Only auth=MSCHAPV2 is correct.

Signed-off-by: Pali Rohár [Use cstr_token() to get rid of unnecessary allocation; cleanup] Signed-off-by: Jouni Malinen

-- You are receiving this mail because: You are on the CC list for the bug.