[Bug 1823053] Re: wpasupplicant 2.6 w/ openssl 1.1.1 triggers TLSv1.3 version intolerance on WPA2-Enterprise networks on Cosmic and Disco
Thank you for taking the time to report this bug and helping to make Ubuntu better. However, I am closing it because the bug has been fixed in the latest development version of Ubuntu. This is a significant bug in Ubuntu. If you need a fix for the bug in previous versions of Ubuntu, please perform as much as possible of the SRU Procedure [1] to bring the need to a developer's attention. [1]: https://wiki.ubuntu.com/StableReleaseUpdates#Procedure ** Changed in: wpa (Ubuntu) Importance: Undecided => High ** Changed in: wpa (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1823053 Title: wpasupplicant 2.6 w/ openssl 1.1.1 triggers TLSv1.3 version intolerance on WPA2-Enterprise networks on Cosmic and Disco To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1823053/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1823053] Re: wpasupplicant 2.6 w/ openssl 1.1.1 triggers TLSv1.3 version intolerance on WPA2-Enterprise networks on Cosmic and Disco
> Sadly, there are RADIUS servers which suffer from TLS version intolerance and will refuse authentication when the client offers TLS 1.3 This statement is completely missing the point. There are *no standards available* for using TLS 1.3 with *any* EAP method. The IETF is working on them, but they are in flux, and have not yet been published. EAP-TLS and TLS 1.3 is being defined here: https://tools.ietf.org/html /draft-ietf-emu-eap-tls13-05 TLS 1.3 for other EAP methods is being defined here: https://tools.ietf.org/html/draft-dekok-emu-tls-eap-types-00 > still, this is a bug that should be fixed in Ubuntu, preferably by backporting wpasupplicant 2.7. The bug is that the shipped versions wpasupplicant and FreeRADIUS allow negotiation of TLS 1.. Even though the standards that defining TLS 1.3 with EAP didn't exist. This issue only happens in older versions of the software. For FreeRADIUS, it's 3.0.15 and before. i.e. this was fixed two years ago in 3.0.16. The solution for the distributions is one of two paths: 1. Upgrade to newer versions of the software that disable support for TLS 1.3 by default 2. Patch the older versions of the software to disable TLS 1.3 by default -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1823053 Title: wpasupplicant 2.6 w/ openssl 1.1.1 triggers TLSv1.3 version intolerance on WPA2-Enterprise networks on Cosmic and Disco To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1823053/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1823053] Re: wpasupplicant 2.6 w/ openssl 1.1.1 triggers TLSv1.3 version intolerance on WPA2-Enterprise networks on Cosmic and Disco
It seems this is also applicable to ubuntu bionic since openssl 1.1.1 landed in bionic-updates. We have bionic clients that cannot connect to the enterprise wifi because they attempt TLS 1.3. Recompiling openssl with the "no-tls1_3" Configure option fixes the problem. See also https://github.com/FreeRADIUS/freeradius-server/issues/2385 ** Bug watch added: github.com/FreeRADIUS/freeradius-server/issues #2385 https://github.com/FreeRADIUS/freeradius-server/issues/2385 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1823053 Title: wpasupplicant 2.6 w/ openssl 1.1.1 triggers TLSv1.3 version intolerance on WPA2-Enterprise networks on Cosmic and Disco To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/1823053/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs