On 12.08.2021 18:56, Stefan Vater wrote:
Am Montag, 9. August 2021, 21:46:26 CEST schrieb Andrei Borzenkov:
On 09.08.2021 17:17, Stefan Vater wrote:
Thanks for the quick reply!
So what do I have to write in /etc/ssl/openssl.cnf?
There is no [system_default_sect] section in there.
Would you please follow standard rules and post your replies inline so that they can be correctly attributed and commented.
I am sorry. I am not that used to write to this list. I will trz to do it better in the future.
Stefan
Am Montag, 9. August 2021, 15:54:56 CEST schrieb Andrei Borzenkov:
On Mon, Aug 9, 2021 at 4:40 PM Stefan Vater <st.vater@web.de> wrote:
Hi,
since some time I have a problem connecting to the wireless network with NetworkManager at work. This network is configured with WPA/WPA2 Enterprise, and the relevant security configuration is:
[wifi-security] key-mgmt=wpa-eap
[802-1x] eap=peap; identity=xxx password-flags=1 phase2-auth=mschapv2
In /var/log/wpa_supplicant.log I get:
1615987045.882707: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:handshake failure 1615987045.882817: OpenSSL: openssl_handshake - SSL_connect error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
I am afraid it is not that simple.
1615987046.888005: wlp2s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
I am using Opensuse Tumbleweed with NetworkManager-1.32.4-2.1.x86_64 openssl-1.1.1k-2.1.noarch wpa_supplicant-2.9-13.3.x86_64
Your server is using too weak key (768 bits). wpa_supplicant hardcodes security level (OK, it hardcodes cipher string so OpenSSL falls beack to default security level 1). When using wpa_supplicant directly it is possible to override cipher string (thus lowering security level) but not when using wpa_supplicant via NetworkManager.
Some posts indicate that disabling TLS v1.2 may work around this problem. It should be possible by setting connection property 802-1x.phase1-auth-flags to 4 (if it is not exposed by GUI frontend using nmcli).
I tried disabling TLS v1.2 via NetworkManager settings, but it did not work. So next thing would be to tyz using wpa_supplicant directly, to find out if that helps. Can you tell me, how I can overwrite the cipher string by that?
See as example https://bugzilla.redhat.com/show_bug.cgi?id=1462262#c6 There it sets openssl_ciphers="PROFILE=SYSTEM" you may try with openssl_ciphers="DEFAULT@SECLEVEL=0"