[Bug 1207913] New: wpa_supplicant 2.10-4.2 does not authenticate WPA PEAP MSCHAPv2 connections with no certificate
http://bugzilla.opensuse.org/show_bug.cgi?id=1207913 Bug ID: 1207913 Summary: wpa_supplicant 2.10-4.2 does not authenticate WPA PEAP MSCHAPv2 connections with no certificate Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: screening-team-bugs@suse.de Reporter: sardone@duck.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0 Build Identifier: After updating wpa_supplicant from 2.10-4-1 to 2.10-4-2, a previously working WPA2 Enterprise PEAP MSCHAPv2 (no certificate) connection does not authenticate anymore. Reproducible: Always Steps to Reproduce: 1. Make sure you have wpa_supplicant 2.10-4.1 installed 2. Connect successfully to a WPA2 Enterprise PEAP MSCHAPv2 connection with no certificate (e.g. Fastweb's WOW FI on the Italian market) 3. Update to wpa_supplicant to 2.10-4-2 3. Reboot Actual Results: dmesg | grep -i wlp3s0 [ 7.303932] iwlwifi 0000:03:00.0 wlp3s0: renamed from wlan0 [ 12.109618] wlp3s0: authenticate with 72:d1:1b:18:68:bc [ 12.109667] wlp3s0: 80 MHz not supported, disabling VHT [ 12.119999] wlp3s0: send auth to 72:d1:1b:18:68:bc (try 1/3) [ 12.127652] wlp3s0: authenticated [ 12.130825] wlp3s0: associate with 72:d1:1b:18:68:bc (try 1/3) [ 12.137145] wlp3s0: RX AssocResp from 72:d1:1b:18:68:bc (capab=0x411 status=0 aid=1) [ 12.150270] wlp3s0: associated [ 14.238946] wlp3s0: deauthenticating from 72:d1:1b:18:68:bc by local choice (Reason: 3=DEAUTH_LEAVING) Expected Results: dmesg | grep -i wlp3s0 [ 7.235464] iwlwifi 0000:03:00.0 wlp3s0: renamed from wlan0 [ 11.788043] wlp3s0: authenticate with 72:d1:1b:18:68:bc [ 11.788057] wlp3s0: 80 MHz not supported, disabling VHT [ 11.799552] wlp3s0: send auth to 72:d1:1b:18:68:bc (try 1/3) [ 11.824332] wlp3s0: authenticated [ 11.826138] wlp3s0: associate with 72:d1:1b:18:68:bc (try 1/3) [ 11.830107] wlp3s0: RX AssocResp from 72:d1:1b:18:68:bc (capab=0x411 status=0 aid=1) [ 11.836770] wlp3s0: associated [ 12.639114] IPv6: ADDRCONF(NETDEV_CHANGE): wlp3s0: link becomes ready Lenovo Thinkpad T480 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207913 Alessandro Sardone <sardone@duck.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Found By|--- |Community User -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207913 http://bugzilla.opensuse.org/show_bug.cgi?id=1207913#c1 --- Comment #1 from Alessandro Sardone <sardone@duck.com> --- lspci | grep -i wireless 03:00.0 Network controller: Intel Corporation Wireless 8265 / 8275 (rev 78) lsmod | grep -i wifi iwlwifi 417792 1 iwlmvm cfg80211 1118208 3 iwlmvm,iwlwifi,mac80211 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207913 http://bugzilla.opensuse.org/show_bug.cgi?id=1207913#c2 Jahelka <pjahelka@caltech.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pjahelka@caltech.edu --- Comment #2 from Jahelka <pjahelka@caltech.edu> --- Getting the same bug with an RTL8822BE. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207913 Jahelka <pjahelka@caltech.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Normal |Major -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207913 http://bugzilla.opensuse.org/show_bug.cgi?id=1207913#c6 --- Comment #6 from Alessandro Sardone <sardone@duck.com> --- (In reply to Ward from comment #4)
(In reply to Ward from comment #3)
Maybe this is an OpenSSL-3 issue. I don't have the time to troubleshoot at the moment but I'll do so next time I'm on the campus.
Updating openssl 1.1.1s-1.1 to 3.0.8-1.1 results in the same issue: il | openssl | package | 1.1.1s-1.1 | noarch | (System Packages) vl | openssl | package | 3.0.8-1.1 | noarch | openSUSE-Tumbleweed-Oss Temporary fix: sudo zypper addlock openssl My sudo zypper locks: # | Name | Type | Repository | Comment --+----------------+---------+------------+-------- 1 | openssl | package | (any) | 2 | wpa_supplicant | package | (any) | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207913 Alessandro Sardone <sardone@duck.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugzilla.opensuse.o | |rg/show_bug.cgi?id=1195395 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207913 http://bugzilla.opensuse.org/show_bug.cgi?id=1207913#c7 --- Comment #7 from Clemens Famulla-Conrad <cfamullaconrad@suse.com> --- Maybe it help, if you adopt your https://en.opensuse.org/SDB:Crypto-policies ? There are no changes in the wpa_supplicant package between 2.10-4-1 to 2.10-4-2. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207913 http://bugzilla.opensuse.org/show_bug.cgi?id=1207913#c8 --- Comment #8 from Alessandro Sardone <sardone@duck.com> --- I switched from DEFAULT to LEGACY and rebooted but NetworkManager still does not connect. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207913 http://bugzilla.opensuse.org/show_bug.cgi?id=1207913#c9 --- Comment #9 from Clemens Famulla-Conrad <cfamullaconrad@suse.com> --- Would you provide the wpa_supplicant log with `-ddt` enabled? Thx in advance! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207913 http://bugzilla.opensuse.org/show_bug.cgi?id=1207913#c11 Stefan Vater <st.vater@web.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |st.vater@web.de --- Comment #11 from Stefan Vater <st.vater@web.de> --- I have the same or at least a similar problem not getting into a previously working WPA2 Enterprise PEAP MSCHAPv2 (no certificate) connection does anymore. However, I think the problem is the recent switch form openssl 1.1 to version 3.0. In my wpa_supplicant I get the messages: 1677056426.698527: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:internal error 1677056426.698692: OpenSSL: openssl_handshake - SSL_connect error:0A00014D:SSL routines::legacy sigalg disallowed or unsupported Here, I have already set update-crypto-policies --set LEGACY and in openssl.conf I set [...] [provider_sect] default = default_sect legacy = legacy_sect [default_sect] activate = 1 [legacy_sect] activate = 1 If I can give you more information, please let me know. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207913 http://bugzilla.opensuse.org/show_bug.cgi?id=1207913#c13 Srinidhi B S <srinidhi.bs@microfocus.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |srinidhi.bs@microfocus.com --- Comment #13 from Srinidhi B S <srinidhi.bs@microfocus.com> --- https://github.com/Kong/insomnia/issues/4543#issuecomment-1126771807 <- I followed this comment and I can now connect to my corporate WPA PEAP MSCHAP-v2 network. `update-crypto-policies --set=LEGACY` does not help. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207913 http://bugzilla.opensuse.org/show_bug.cgi?id=1207913#c14 --- Comment #14 from Alessandro Sardone <sardone@duck.com> --- I followed the same instructions but it did not work for me. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207913 http://bugzilla.opensuse.org/show_bug.cgi?id=1207913#c15 Donald Curtis <bugrprt21882@online.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bugrprt21882@online.de --- Comment #15 from Donald Curtis <bugrprt21882@online.de> --- Open question on everyone suffering from this issue: * Can you connect to the offending WLAN with either an Android or Apple Pocket Telephone? Further information here: <https://security.stackexchange.com/questions/193450/your-connection-will-not-be-private-wi-fi-ca-certificate-warning-message-on-an> -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1207913 http://bugzilla.opensuse.org/show_bug.cgi?id=1207913#c16 --- Comment #16 from Alessandro Sardone <sardone@duck.com> --- Yes, I can on Android. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com