NM doesnt allow to configure phase2 certificate for wpasupplicant (Was: Fail to connect with TLS and client certificate)

Bug #284409 reported by Björn Torkelsson
34
This bug affects 6 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Triaged
Undecided
Unassigned

Bug Description

Binary package hint: network-manager

I fail to connect to the University Eduroam wireless network with TLS and a client certificate.

wpa_supplicant says it can't verify the certificate so that may be part of the problem:

Trying to associate with 00:12:44:b1:e2:1f (SSID='eduroam' freq=5220 MHz)
Authentication with 00:12:44:b1:e2:1f timed out.
CTRL-EVENT-SCAN-RESULTS
Trying to associate with 00:12:44:b1:e2:10 (SSID='eduroam' freq=2462 MHz)
Associated with 00:12:44:b1:e2:10
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2 for '/C=US/O=GTE Corporation/OU=GTE
CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2 for '/C=US/O=GTE Corporation/OU=GTE
CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2 for '/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
Authentication with 00:00:00:00:00:00 timed out.

ProblemType: Bug
Architecture: amd64
DistroRelease: Ubuntu 8.10
NonfreeKernelModules: openafs
Package: network-manager 0.7~~svn20081015t224738-0ubuntu1
ProcEnviron:
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
 LANG=en_DK.UTF-8
 SHELL=/bin/bash
 LC_NUMERIC=en_US.UTF-8
SourcePackage: network-manager
Uname: Linux 2.6.27-7-generic x86_64

Tags: apport-bug
Revision history for this message
Björn Torkelsson (torkel) wrote :
Revision history for this message
Alexander Sack (asac) wrote :

15:46 < asac> torkel: TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2
15:46 < asac> torkel: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
15:46 < asac> so your CA appears to be not known
15:48 < asac> torkel: http://www.madboa.com/geek/openssl/#verify-standard
15:48 < asac> torkel: can you try that?

Changed in network-manager:
status: New → Incomplete
Revision history for this message
Björn Torkelsson (torkel) wrote :

$ openssl verify -verbose -CAfile umueduroamca.pem umu_eduroam_bjto0001.pem
umu_eduroam_bjto0001.pem: OK

So, yes the certificate is OK.

However if I remove the CA certificate (I still have it in /etc/ssl/certs though) it seems to be working (I will test more tomorrow).

When trying to readd the CA certificate in the n-m connection manager I get the following error:

Updating connection failed: client cert

Revision history for this message
Alexander Sack (asac) wrote :

latest comments in bug 272185 look similar. thats about wireless + tls (EAP). i think

Revision history for this message
Alexander Sack (asac) wrote :

ok. as you commented in 272185, this is a dupe. lets continue there.

Changed in network-manager:
status: Incomplete → Triaged
Revision history for this message
Alberto (apedraza) wrote :

Alexander, I don't think that this bug is the same as 272185. It might be related but it is not the same.

I have the problem that when setting up an WPA2/EAP/TLS network in nm 0.7, I get an error when I try to save the setup.

The error is in the wireless security tab. After completing the login information, selecting the 3 certificates (user cert, Ca cert and PK cert) and specifying the private key password. I press OK and I get: Updating Connection Failed: client-cert.

This has been happening since nm 0.7 in hardy when I was testing this summer. It continues to this day.

Revision history for this message
Alberto (apedraza) wrote :

Ok. I checked again. The bug on the gui only happens when you try to edit the settings already in place. It does not happen when you first create the eap network.

Revision history for this message
Kartoch (kartoch) wrote :

I'm not sure it's really solved.

If I try to connect with a fresh setup from the network manager gui, it works but /var/log/wpa_supplicant.log contains:

CTRL-EVENT-SCAN-RESULTS
Associated with 00:1e:be:a7:f6:90
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0)
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
WPA: Key negotiation completed with 00:1e:be:a7:f6:90 [PTK=TKIP GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 00:1e:be:a7:f6:90 completed (reauth) [id=0 id_str=]

So it seems it didn't succeed to validate the certificate... but it continues (dangerous)

If I try to update the settings, it doesn't work because of a self-certificate in the certificate chain:

Associated with 00:1e:be:a8:38:20
CTRL-EVENT-SCAN-RESULTS
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2 for '/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys

So my hypothesis is that we have two bugs:

- one with no validation of certificate when settings are new
- one with strange validation of root certificate (of course it's a self certfiicate ! ;-)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.