Bug#883025: [Pkg-openssl-devel] Bug#883025: Breaks wpa_supplicant on WPA-Enterprise networks
On Tue, Nov 28, 2017 at 03:15:06PM -0800, Josh Triplett wrote: > On Wed, Nov 29, 2017 at 12:05:35AM +0100, Kurt Roeckx wrote: > > On Tue, Nov 28, 2017 at 02:12:07PM -0800, Josh Triplett wrote: > > > Package: libssl1.1 > > > Version: 1.1.0g-2 > > > Severity: important > > > Tags: upstream > > > > > > See https://github.com/openssl/openssl/issues/3594 ; current OpenSSL > > > breaks compatibility with the hook mechanism that wpa_supplicant used to > > > provide the passphrase for PEM keys. The net result is this: > > > > My understanding from reading that bug is that wpa supplicant > > would fix it? > > wpasupplicant can't necessarily fix this upstream, because the fix would > break on older OpenSSL. However, Debian could potentially patch > wpasupplicant if we're only ever going to build against the newer > OpenSSL. As far as I understand it, upstream wpa could do two things: - Set it in the SSL_CTX before creating the SSL instead of after - Set it it both the SSL_CTX and SSL Kurt
Bug#883025: [Pkg-openssl-devel] Bug#883025: Breaks wpa_supplicant on WPA-Enterprise networks
On Wed, Nov 29, 2017 at 12:05:35AM +0100, Kurt Roeckx wrote: > On Tue, Nov 28, 2017 at 02:12:07PM -0800, Josh Triplett wrote: > > Package: libssl1.1 > > Version: 1.1.0g-2 > > Severity: important > > Tags: upstream > > > > See https://github.com/openssl/openssl/issues/3594 ; current OpenSSL > > breaks compatibility with the hook mechanism that wpa_supplicant used to > > provide the passphrase for PEM keys. The net result is this: > > My understanding from reading that bug is that wpa supplicant > would fix it? wpasupplicant can't necessarily fix this upstream, because the fix would break on older OpenSSL. However, Debian could potentially patch wpasupplicant if we're only ever going to build against the newer OpenSSL.
Bug#883025: [Pkg-openssl-devel] Bug#883025: Breaks wpa_supplicant on WPA-Enterprise networks
On Tue, Nov 28, 2017 at 02:12:07PM -0800, Josh Triplett wrote: > Package: libssl1.1 > Version: 1.1.0g-2 > Severity: important > Tags: upstream > > See https://github.com/openssl/openssl/issues/3594 ; current OpenSSL > breaks compatibility with the hook mechanism that wpa_supplicant used to > provide the passphrase for PEM keys. The net result is this: My understanding from reading that bug is that wpa supplicant would fix it? I see that it's been backported to the 1.0.2 release, not sure if that's in stable and oldstable already or not. I should update the version, but maybe it's better to wait. Kurt
Bug#883025: Breaks wpa_supplicant on WPA-Enterprise networks
Package: libssl1.1 Version: 1.1.0g-2 Severity: important Tags: upstream See https://github.com/openssl/openssl/issues/3594 ; current OpenSSL breaks compatibility with the hook mechanism that wpa_supplicant used to provide the passphrase for PEM keys. The net result is this: wpa_supplicant[7178]: wlp4s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 wpa_supplicant[7178]: Enter PEM pass phrase: wpa_supplicant[7178]: OpenSSL: tls_read_pkcs12 - Failed to use PKCS#12 file error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag wpa_supplicant[7178]: OpenSSL: pending error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error wpa_supplicant[7178]: OpenSSL: tls_connection_private_key - Failed to load private key error::lib(0):func(0):reason(0) wpa_supplicant[7178]: TLS: Failed to load private key '/home/josh/.cert/priv-key-machine.pem' wpa_supplicant[7178]: TLS: Failed to set TLS connection parameters wpa_supplicant[7178]: EAP-TLS: Failed to initialize SSL. wpa_supplicant[7178]: wlp4s0: EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS) wpa_supplicant[7178]: wlp4s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed Note the "Enter PEM pass phrase:" prompt, caused by wpa_supplicant not having an opportunity (via hooks) to supply the passphrase. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libssl1.1 depends on: ii debconf [debconf-2.0] 1.5.65 ii libc6 2.25-2 libssl1.1 recommends no packages. libssl1.1 suggests no packages. -- debconf information excluded