Skip Menu |
 
Ticket metadata
The Basics
Id: 2825
Status: open
Priority: 0/
Queue: OpenSSL-Bugs

Custom Fields
Milestone: (no value)
Subsystem: (no value)
Severity: (no value)
Broken in: (no value)

People
Owner: Nobody in particular
Requestors: Jeremy Nickurak
Cc:
AdminCc:

More about the requestors

Jeremy Nickurak

Comments about this user: No comment entered about this user
Groups this user belongs to
  • Unprivileged
  • Everyone

New reminder:
Subject:
Owner:
Due:

Dates
Created: Wed May 23 10:35:22 2012
Starts: Not set
Started: Not set
Last Contact: Fri Jun 08 00:35:21 2012
Due: Not set
Closed: Not set
Updated: Fri Jun 08 00:35:21 2012 by Stephen Henson



Subject: Bug: Unable to connect to WPA enterprise wireless
Date: Tue, 22 May 2012 18:12:15 -0600
To: rt@openssl.org
From: Jeremy Nickurak <openssl-rt@trk.nickurak.ca>
Download (untitled) / with headers
text/plain 1.8k
Per downstream
https://bugs.launchpad.net/ubuntu/+source/wpasupplicant/+bug/969343 :

Show quoted text
> I am still unable to connect with openssl 1.0.1-4ubuntu2. I . It looks like the same problem as before. Here is a bit of syslog:
>
> Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: SSL: SSL3 alert: read (remote end reported an error):fatal:bad certificate
> Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: OpenSSL: openssl_handshake - SSL_connect error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
> Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: CTRL-EVENT-EAP-FAILURE EAP authentication failed
> Apr 19 08:42:51 fin8344m2 kernel: [ 77.468839] wlan0: deauthenticated from 00:11:92:3e:79:80 (Reason: 23)
> Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: CTRL-EVENT-DISCONNECTED bssid=00:11:92:3e:79:80 reason=23

It's unclear to me whether this a wpa_supplicant bug or an openssl bug, but
reverting to an older openssl version (say, 1.0.0e) addresses the problem.
However, per the redhat filing at:
https://bugzilla.redhat.com/show_bug.cgi?id=798187 :

Show quoted text
> This message means that eap_peer_tls_derive_key() function failed. I'd need more low level debugging output to find out which function called from OpenSSL library fails or behaves differently.
>
> I suppose it is related to the new TLS-1.2 support in openssl-1.0.1. Perhaps the wpa_supplicant should forcibly limit the TLS version to 1.0?
>
> Reassingning to wpa_supplicant for better insight from wpa_supplicant maintainers.

Also filed for debian at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667706

At for wpa_supplicant at: http://w1.fi/bugz/show_bug.cgi?id=447
Subject: Re: [openssl.org #2825] Bug: Unable to connect to WPA enterprise wireless
Date: Wed, 6 Jun 2012 15:28:05 +0000
To: "openssl-dev@openssl.org" <openssl-dev@openssl.org>
From: Robert Dugal <rdugal@certicom.com>
Download (untitled) / with headers
text/plain 3.8k
This is almost identical to an issue we found with openssl 1.0.1b and
Juniper SBR version v6.13.4949
In our case we traced it to the heartbeat extension. When the extension is
sent in the ClientHello PEAP negotiation fails with fatal bad certificate
alert.
By adding # define OPENSSL_NO_HEARTBEATS to opensslconf.h we disabled the
extension and PEAP negotiation is successful.

There really should be an API to disable this extension so that it can be
enabled in use cases where it is needed and disabled in use cases where it
breaks negotiation.

------------------------------------
Robert Dugal
Team Lead, Network Security
BBOS Networking Technologies
Research In Motion Limited
Office:
(289) 261-4148
Mobile:
(416) 276-8062
PIN:
25ED2948







On 5/23/12 4:35 AM, "Jeremy Nickurak via RT" <rt@openssl.org> wrote:

Show quoted text
>Per downstream
>https://bugs.launchpad.net/ubuntu/+source/wpasupplicant/+bug/969343 :
>
>> I am still unable to connect with openssl 1.0.1-4ubuntu2. I . It looks
>>like the same problem as before. Here is a bit of syslog:
>>
>> Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]:
>>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
>> Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: CTRL-EVENT-EAP-METHOD
>>EAP vendor 0 method 25 (PEAP) selected
>> Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: SSL: SSL3 alert: read
>>(remote end reported an error):fatal:bad certificate
>> Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: OpenSSL:
>>openssl_handshake - SSL_connect error:14094412:SSL
>>routines:SSL3_READ_BYTES:sslv3 alert bad certificate
>> Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: CTRL-EVENT-EAP-FAILURE
>>EAP authentication failed
>> Apr 19 08:42:51 fin8344m2 kernel: [ 77.468839] wlan0: deauthenticated
>>from 00:11:92:3e:79:80 (Reason: 23)
>> Apr 19 08:42:51 fin8344m2 wpa_supplicant[1120]: CTRL-EVENT-DISCONNECTED
>>bssid=00:11:92:3e:79:80 reason=23
>
>It's unclear to me whether this a wpa_supplicant bug or an openssl bug,
>but
>reverting to an older openssl version (say, 1.0.0e) addresses the
>problem.
>However, per the redhat filing at:
>https://bugzilla.redhat.com/show_bug.cgi?id=798187 :
>
>> This message means that eap_peer_tls_derive_key() function failed. I'd
>>need more low level debugging output to find out which function called
>>from OpenSSL library fails or behaves differently.
>>
>> I suppose it is related to the new TLS-1.2 support in openssl-1.0.1.
>>Perhaps the wpa_supplicant should forcibly limit the TLS version to 1.0?
>>
>> Reassingning to wpa_supplicant for better insight from wpa_supplicant
>>maintainers.
>
>Also filed for debian at:
>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=667706
>
>At for wpa_supplicant at: http://w1.fi/bugz/show_bug.cgi?id=447
>
>______________________________________________________________________
>OpenSSL Project http://www.openssl.org
>Development Mailing List openssl-dev@openssl.org
>Automated List Manager majordomo@openssl.org


---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
Show quoted text
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org
Show quoted text
> [openssl-dev@openssl.org - Fri Jun 08 00:27:27 2012]:
>
> This is almost identical to an issue we found with openssl 1.0.1b and
> Juniper SBR version v6.13.4949
> In our case we traced it to the heartbeat extension. When the
> extension is
> sent in the ClientHello PEAP negotiation fails with fatal bad
> certificate
> alert.
> By adding # define OPENSSL_NO_HEARTBEATS to opensslconf.h we disabled
> the
> extension and PEAP negotiation is successful.
>
> There really should be an API to disable this extension so that it can
> be
> enabled in use cases where it is needed and disabled in use cases
> where it
> breaks negotiation.
>

That's rather strange behaviour, the presence of a (presumably
unsupported) extension causes a bad certificate alert? Is it just the
heartbeat extension that triggers this or would the presence of any
unknown extension cause a similar problem?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org