Your message dated Wed, 21 Mar 2018 23:48:41 +0100
with message-id <[email protected]>
and subject line Re: Bug#883025: Breaks wpa_supplicant on WPA-Enterprise
networks
has caused the Debian Bug report #883025,
regarding Breaks wpa_supplicant on WPA-Enterprise networks
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
883025: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883025
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libssl1.1
Version: 1.1.0g-2
Severity: important
Tags: upstream
See https://github.com/openssl/openssl/issues/3594 ; current OpenSSL
breaks compatibility with the hook mechanism that wpa_supplicant used to
provide the passphrase for PEM keys. The net result is this:
wpa_supplicant[7178]: wlp4s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
wpa_supplicant[7178]: Enter PEM pass phrase:
wpa_supplicant[7178]: OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file
error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
wpa_supplicant[7178]: OpenSSL: pending error: error:0D07803A:asn1 encoding
routines:asn1_item_embed_d2i:nested asn1 error
wpa_supplicant[7178]: OpenSSL: tls_connection_private_key - Failed to load
private key error:00000000:lib(0):func(0):reason(0)
wpa_supplicant[7178]: TLS: Failed to load private key
'/home/josh/.cert/priv-key-machine.pem'
wpa_supplicant[7178]: TLS: Failed to set TLS connection parameters
wpa_supplicant[7178]: EAP-TLS: Failed to initialize SSL.
wpa_supplicant[7178]: wlp4s0: EAP: Failed to initialize EAP method: vendor 0
method 13 (TLS)
wpa_supplicant[7178]: wlp4s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Note the "Enter PEM pass phrase:" prompt, caused by wpa_supplicant not having
an opportunity (via hooks) to supply the passphrase.
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libssl1.1 depends on:
ii debconf [debconf-2.0] 1.5.65
ii libc6 2.25-2
libssl1.1 recommends no packages.
libssl1.1 suggests no packages.
-- debconf information excluded
--- End Message ---
--- Begin Message ---
On 2017-11-29 00:36:56 [+0100], Kurt Roeckx wrote:
> > wpasupplicant can't necessarily fix this upstream, because the fix would
> > break on older OpenSSL. However, Debian could potentially patch
> > wpasupplicant if we're only ever going to build against the newer
> > OpenSSL.
>
> As far as I understand it, upstream wpa could do two things:
> - Set it in the SSL_CTX before creating the SSL instead of after
> - Set it it both the SSL_CTX and SSL
I am going to close this.
wpa_supplicant used to workaround a bug in openssl which does not work
once openssl fixed the bug [0].
It looks to me that wpa_supplicant fixed this in current unstable with
this [1]. I don't see a reason to keep this open since we can't do
anything about it *and* it got addressed on wpa_supplicant's side.
[0] https://github.com/openssl/openssl/issues/3594#issuecomment-305493300
[1]
https://sources.debian.org/src/wpa/2:2.6-15/debian/patches/fix-pem-decryption.patch/
> Kurt
Sebastian
--- End Message ---
