Hi, On 4 Jun 2020 10:29:06 +0200 Martin Tesar <martin.te...@yourwifi.cz> wrote: > Package: iwd > Version: 1.7-1 > > it looks like the IWD is not able to load trusted user certificates. > Basically if the certificate is enclosed in > > -----BEGIN TRUSTED CERTIFICATE----- > -----END TRUSTED CERTIFICATE----- > > I'm always getting an error "Failed to load". Once the user cert is > converted using OpenSSL and is enclosed in > > -----BEGIN CERTIFICATE----- > -----END CERTIFICATE----- > > it can be loaded without any problem. But such a converted certificate > is not accepted by the RADIUS in my case.
I found upstream commit 84cae48c1bfe374c8654b23ad4e766548b9203a7 which may be related. It was first included in (upstream) version 1.12. Can you test whether this issue still occurs with a recent version of iwd? > Below is the network configuration file and related syslog output > > [Security] > EAP-Method=TLS > EAP-Identity=someuser > EAP-TLS-ClientCert=/usr/local/share/ca-certificates/user.crt > EAP-TLS-ClientKey=/usr/local/share/ca-certificates/key.crt > EAP-TLS-CACert=/usr/local/share/ca-certificates/root.crt Please verify against the manpage of that recent iwd version whether this configuration is still accurate or whether it needs to be updated. > Jun 2 01:19:41 somehost iwd[767]: No Diffie-Hellman support found, > WPS will not be available > Jun 2 01:19:41 somehost iwd[767]: The following options are missing > in the kernel: > Jun 2 01:19:41 somehost iwd[767]: #011CONFIG_KEY_DH_OPERATIONS > ... > Kernel: Linux 5.6.14-v7l+ (SMP w/4 CPU cores) This does not look like a Debian kernel, which does have the setting enabled. May not be relevant, but mention it just in case. Cheers, Diederik
signature.asc
Description: This is a digitally signed message part.