Re: can't connect to eduroam due to SSL3 unsupported protocol

[davenull]

Hello

On 2024-06-17 16:14, Vincent Lefevre wrote:

On 2024-06-17 08:26:39 -0400, Dan Ritter wrote:

On stable:
$ openssl list -disabled
Disabled algorithms:
IDEA
MD2
MDC2
RC5
SCTP
SSL3
ZLIB

So, SSL3 support was removed at least that long ago. I think it
was actually dropped around 2016.


That's strange because when I installed the machine in October,
there were no issues.


SSL v3 has been deprecated years ago, and replaced by TLS. SSLv3 support 
in Debian has been
dropped a while ago, like most OSes (except obsolete ones, from 2016 and 
before).


Even TLS 1.0 and 1.1 should be avoided whenever possible.

Maybe it worked because it used correct configuration/hardware/software.
If it supports SSLv3 and not TLS, it's outdated software.

The best thing you could do is to

- try debian stable form live USB to check if it also tries to use SSLv3
If it tries to use SSLv3 as well, chances are the authentification 
server only offers SSLv3 and is outdated
If it doesn't and it connects using TLS (preferably v1.2 or 1.3), maybe 
there a bug in Unstable, which leads the client (Debian unstable) to try 
to use SSLv3 (erratically)
- contact your UNi Eduroam support to see if changed anything since last 
October

Re: can't connect to eduroam due to SSL3 unsupported protocol

[Marco Moock]

Am 20.06.2024 um 11:05:10 Uhr schrieb Vincent Lefevre:

> I've got a confirmation that their Radius servers still use SSL3,
> and they said that they could not upgrade them.

Then they have very, very outdated stuff. Talk to the security
department at your site, maybe they make them hurry up.

Re: can't connect to eduroam due to SSL3 unsupported protocol

[Vincent Lefevre]

On 2024-06-17 15:08:54 -0400, Dan Ritter wrote:
> Vincent Lefevre wrote: 
> > On 2024-06-17 08:26:39 -0400, Dan Ritter wrote:
> > > On stable:
> > > $ openssl list -disabled
> > > Disabled algorithms:
> > > IDEA
> > > MD2
> > > MDC2
> > > RC5
> > > SCTP
> > > SSL3
> > > ZLIB
> > > 
> > > So, SSL3 support was removed at least that long ago. I think it
> > > was actually dropped around 2016.
> > 
> > That's strange because when I installed the machine in October,
> > there were no issues.
> 
> Perhaps the change is not in your system but in theirs?

I've got a confirmation that their Radius servers still use SSL3,
and they said that they could not upgrade them.

But perhaps the authentication is done differently when I connect
locally (still using eduroam)?

I could try again locally if need be.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: can't connect to eduroam due to SSL3 unsupported protocol

[Dan Ritter]

Vincent Lefevre wrote: 
> On 2024-06-17 08:26:39 -0400, Dan Ritter wrote:
> > On stable:
> > $ openssl list -disabled
> > Disabled algorithms:
> > IDEA
> > MD2
> > MDC2
> > RC5
> > SCTP
> > SSL3
> > ZLIB
> > 
> > So, SSL3 support was removed at least that long ago. I think it
> > was actually dropped around 2016.
> 
> That's strange because when I installed the machine in October,
> there were no issues.

Perhaps the change is not in your system but in theirs?

-dsr-

Re: can't connect to eduroam due to SSL3 unsupported protocol

[Nicolas George]

Richard (12024-06-17):
> There is a coordination, so you can use the same login data all over the
> world. At least that's how it's supposed to work. But afaik the protocols
> themselves aren't predefined. That's up to the local IT department how they
> implement this. Authentication should always be done locally, with
> synchronization between facilities. At least to my understanding, but I'm
> no eduroam professional.

That would require that all establishments download and keep in sync the
whole database of users of all other establishments. That is not
sustainable, and I am not even talking about the privacy concerns.

What happens is the local Radius for Eduroam forwards the authentication
request to the Radius from the origin institution.

For example, if the security officer of here.edu knows there was an
incident on a local Eduroam IP, they can know it was authenticated for
“anonym...@somewhere-else.edu”, and they need to ask to the security
officer of somewhere-else.edu to get further details.


> Am Mo., 17. Juni 2024 um 17:02 Uhr schrieb Vincent Lefevre <
> vinc...@vinc17.net>:

Please do not top-post.

Regards,

-- 
  Nicolas George

Re: can't connect to eduroam due to SSL3 unsupported protocol

[Richard]

There is a coordination, so you can use the same login data all over the
world. At least that's how it's supposed to work. But afaik the protocols
themselves aren't predefined. That's up to the local IT department how they
implement this. Authentication should always be done locally, with
synchronization between facilities. At least to my understanding, but I'm
no eduroam professional.

Richard

Am Mo., 17. Juni 2024 um 17:02 Uhr schrieb Vincent Lefevre <
vinc...@vinc17.net>:

> Isn't the authentication done by the remote side, thus will always
> require the same protocol for a given account?
>
> --
> Vincent Lefèvre  - Web: 
> 100% accessible validated (X)HTML - Blog: 
> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
>
>

Re: can't connect to eduroam due to SSL3 unsupported protocol

[Vincent Lefevre]

On 2024-06-17 10:18:09 -0400, Stefan Monnier wrote:
> > Under Debian/unstable, I can't connect to eduroam due to the following
> > reason:
> 
> AFAIK, while "the eduroam" looks like one thing it's just a bunch of
> local wifi networks, each one administered mostly independently
> and with different configurations.  By and large, if you can connect to
> eduroam at one place it's likely it'll also work elsewhere but it's not
> always the case.

Isn't the authentication done by the remote side, thus will always
require the same protocol for a given account?

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: can't connect to eduroam due to SSL3 unsupported protocol

[Stefan Monnier]

> Under Debian/unstable, I can't connect to eduroam due to the following
> reason:

AFAIK, while "the eduroam" looks like one thing it's just a bunch of
local wifi networks, each one administered mostly independently
and with different configurations.  By and large, if you can connect to
eduroam at one place it's likely it'll also work elsewhere but it's not
always the case.


Stefan

Re: can't connect to eduroam due to SSL3 unsupported protocol

[Vincent Lefevre]

On 2024-06-17 08:26:39 -0400, Dan Ritter wrote:
> On stable:
> $ openssl list -disabled
> Disabled algorithms:
> IDEA
> MD2
> MDC2
> RC5
> SCTP
> SSL3
> ZLIB
> 
> So, SSL3 support was removed at least that long ago. I think it
> was actually dropped around 2016.

That's strange because when I installed the machine in October,
there were no issues.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: can't connect to eduroam due to SSL3 unsupported protocol

[Richard]

If your university still uses SSL 3.x instead on TLS there might be
something wrong.

You could check on cat.eduroam.org if there's an installer for your
university, that's usually the easiest way to set up eduroam. On paper,
Debian does support PWD, but in reality I was never able to use it, while
on Android that method isn't an issue.

But in the end, on sid, things are expected to break. So a bug report
through the official channels should be the right way, if it's something
that isn't explicitly unsupported.

Richard


On Mon, Jun 17, 2024, 14:07 Vincent Lefevre  wrote:

> Hi,
>
> Under Debian/unstable, I can't connect to eduroam due to the following
> reason:
>
> Jun 17 13:58:31 qaa wpa_supplicant[1184]: wlp0s20f3:
> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> Jun 17 13:58:31 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-METHOD
> EAP vendor 0 method 25 (PEAP) selected
> Jun 17 13:58:31 qaa wpa_supplicant[1184]: SSL: SSL3 alert: write (local
> SSL3 detected an error):fatal:protocol version
> Jun 17 13:58:31 qaa wpa_supplicant[1184]: OpenSSL: openssl_handshake -
> SSL_connect error:0A000102:SSL routines::unsupported protocol
> Jun 17 13:58:36 qaa wpa_supplicant[1184]: wlp0s20f3:
> CTRL-EVENT-EAP-FAILURE EAP authentication failed
>
> Anyone knows what's wrong?
>
> (There were such kinds of issues several years ago, but I thought
> this was fixed.)
>
> --
> Vincent Lefèvre  - Web: 
> 100% accessible validated (X)HTML - Blog: 
> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
>
>

Re: can't connect to eduroam due to SSL3 unsupported protocol

[Dan Ritter]

Vincent Lefevre wrote: 
> Hi,
> 
> Under Debian/unstable, I can't connect to eduroam due to the following
> reason:
> 
> Jun 17 13:58:31 qaa wpa_supplicant[1184]: wlp0s20f3: 
> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> Jun 17 13:58:31 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-METHOD 
> EAP vendor 0 method 25 (PEAP) selected
> Jun 17 13:58:31 qaa wpa_supplicant[1184]: SSL: SSL3 alert: write (local SSL3 
> detected an error):fatal:protocol version
> Jun 17 13:58:31 qaa wpa_supplicant[1184]: OpenSSL: openssl_handshake - 
> SSL_connect error:0A000102:SSL routines::unsupported protocol
> Jun 17 13:58:36 qaa wpa_supplicant[1184]: wlp0s20f3: CTRL-EVENT-EAP-FAILURE 
> EAP authentication failed
> 
> Anyone knows what's wrong?
> 
> (There were such kinds of issues several years ago, but I thought
> this was fixed.)

On stable:
$ openssl list -disabled
Disabled algorithms:
IDEA
MD2
MDC2
RC5
SCTP
SSL3
ZLIB

So, SSL3 support was removed at least that long ago. I think it
was actually dropped around 2016.

The problem is almost certainly that someone at the eduroam
server config doesn't know the difference between SSL3 and
TLS1.3, or something similar. You'll need to talk to them about
why they haven't enabled TLS1, 1.1, 1.2 or 1.3 -- of these, only
1.2 and 1.3 are recommended.

-dsr-

Re: can't connect to eduroam due to SSL3 unsupported protocol

[Marco Moock]

Am 17.06.2024 um 14:07:13 Uhr schrieb Vincent Lefevre:

> Anyone knows what's wrong?

If they really rely on SSL3.0 it is the fault of the network operator
because that protocol is outdated, has some vulnerabilities and is
deprecated for years. Most systems have it disabled by default.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1718626033mu...@cartoonies.org