On 09.08.2021 17:17, Stefan Vater wrote:
Thanks for the quick reply!
So what do I have to write in /etc/ssl/openssl.cnf?
There is no [system_default_sect] section in there.
Would you please follow standard rules and post your replies inline so that they can be correctly attributed and commented.
Stefan
Am Montag, 9. August 2021, 15:54:56 CEST schrieb Andrei Borzenkov:
On Mon, Aug 9, 2021 at 4:40 PM Stefan Vater <st.vater@web.de> wrote:
Hi,
since some time I have a problem connecting to the wireless network with NetworkManager at work. This network is configured with WPA/WPA2 Enterprise, and the relevant security configuration is:
[wifi-security] key-mgmt=wpa-eap
[802-1x] eap=peap; identity=xxx password-flags=1 phase2-auth=mschapv2
In /var/log/wpa_supplicant.log I get:
1615987045.882707: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:handshake failure 1615987045.882817: OpenSSL: openssl_handshake - SSL_connect error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
I am afraid it is not that simple.
1615987046.888005: wlp2s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
I am using Opensuse Tumbleweed with NetworkManager-1.32.4-2.1.x86_64 openssl-1.1.1k-2.1.noarch wpa_supplicant-2.9-13.3.x86_64
Your server is using too weak key (768 bits). wpa_supplicant hardcodes security level (OK, it hardcodes cipher string so OpenSSL falls beack to default security level 1). When using wpa_supplicant directly it is possible to override cipher string (thus lowering security level) but not when using wpa_supplicant via NetworkManager. Some posts indicate that disabling TLS v1.2 may work around this problem. It should be possible by setting connection property 802-1x.phase1-auth-flags to 4 (if it is not exposed by GUI frontend using nmcli).
I really do not know, how I could solve the issue. Any help is appreciated!
Best, Stefan