Unencrypted private keys are insecure error reported even when key is encrypted

Bug #1573720 reported by Steve on 2016-04-22
110
This bug affects 24 people
Affects Status Importance Assigned to Milestone
NetworkManager
Fix Released
Critical
network-manager (Ubuntu)
High
Unassigned

Bug Description

When I enter an EAP-TLS wifi config, I get the error:

"Unencrypted private keys are insecure
The selected private key does not appear to be protected by a password. This could allow your security credentials to be compromised. Please select a password-protected private key.

(You can password-protect your private key with openssl)"

I have verified that my key is, in fact, encrypted, and I have tried using both des3 and aes256. I have also verified the password used to encrypt the key.

For a while, it wouldn't even let me save the config. I managed to save it eventually, but now when I try to connect to the saved connection, I get the same error.

I am on Ubuntu mate 16.04

network-manager 1.1.93

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: network-manager 1.1.93-0ubuntu4
ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
Uname: Linux 4.4.0-21-generic x86_64
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CurrentDesktop: MATE
Date: Fri Apr 22 13:25:16 2016
InstallationDate: Installed on 2015-08-19 (246 days ago)
InstallationMedia: Ubuntu-MATE 15.04 "Vivid Vervet" - Release amd64 (20150422.1)
IpRoute:
 default via 192.168.151.254 dev eth1 proto static metric 100
 169.254.0.0/16 dev eth1 scope link metric 1000
 192.168.151.0/24 dev eth1 proto kernel scope link src 192.168.151.95 metric 100
NetworkManager.state:
 [main]
 NetworkingEnabled=true
 WirelessEnabled=true
 WWANEnabled=true
 WimaxEnabled=true
SourcePackage: network-manager
UpgradeStatus: Upgraded to xenial on 2016-04-22 (0 days ago)
nmcli-dev:
 DEVICE TYPE STATE DBUS-PATH CONNECTION CON-UUID CON-PATH
 eth1 ethernet connected /org/freedesktop/NetworkManager/Devices/2 Wired connection 1 ed50d4f9-c810-4be0-b06c-8acd58015c50 /org/freedesktop/NetworkManager/ActiveConnection/0
 wlan0 wifi disconnected /org/freedesktop/NetworkManager/Devices/1 -- -- --
 eth0 ethernet unavailable /org/freedesktop/NetworkManager/Devices/3 -- -- --
 lo loopback unmanaged /org/freedesktop/NetworkManager/Devices/0 -- -- --
nmcli-nm: Error: command ['nmcli', '-f', 'all', 'nm'] failed with exit code 2: Error: Object 'nm' is unknown, try 'nmcli help'.

Steve (smacdougall) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager (Ubuntu):
status: New → Confirmed
Changed in network-manager (Ubuntu):
importance: Undecided → High
Sebastien Bacher (seb128) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue you are reporting is an upstream one and it would be nice if somebody having it could send the bug to the developers of the software by following the instructions at https://wiki.ubuntu.com/Bugs/Upstream/GNOME. If you have done so, please tell us the number of the upstream bug (or the link), so we can add a bugwatch that will inform us about its status. Thanks in advance.

nemith (bennetb) wrote :

Added upstream bug.

Changed in network-manager:
importance: Unknown → Critical
status: Unknown → Confirmed
Sebastien Bacher (seb128) wrote :

Thanks

Changed in network-manager (Ubuntu):
status: Confirmed → Triaged
nemith (bennetb) wrote :

Apply https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=9a37d1d970bf5bf1aab35468aabccb8cbfe2a39b allowed NetworkManager to connect to a preconfigured session.

However editing the session via the applet still has issues. Even after applying
https://git.gnome.org/browse/network-manager-applet/commit/?id=8e60431a7d6fc4c5545e58464e10b9131cbd3e6a

and

https://git.gnome.org/browse/network-manager-applet/commit/?id=2af8361c71416c61b96d01423b1a95d3bc692f9d

The network manager patch should be backported into Ubuntu

Changed in network-manager:
status: Confirmed → Incomplete

This problems existed in 14.04 but was not a problem in 15.10, whith 16.04 my Wifi would not connect. Company Laptops. Thinkpad T450s -> does not work flawlessly with 14.04 (no support for dual monitor via docking station), 15.10 is depricated, in 16.04 WPS Enterprise Wifi does not work, seemingly because of this bug.

This is a nogo for distribution that wants to be used in companys. What shall I do when I need Wifi in a meeting? Of course I borrow a Windows PC from an workmate. Me and ubuntu have the laughes on our side. :((( :/ :'(

Aron Xu (happyaron) on 2016-07-05
tags: added: desktop-trello-import
Michael Wingender (mwingender) wrote :

I think I hit this bug also, but I can not confirm that is not working with an DES3 encrypted key file.
I have generated encrypted key files with DES, DES3, AES128, AES192, AES256, CAMELLIA128, CAMELLIA192, CAMELLIA256 and SEED. WPA2 Enterprise configuration is working with DES, DES3 and AES128. All other key files are not accepted.

Download full text (4.1 KiB)

Recent updates to network-manager-gnome 1.2.0-0ubuntu0.16.04.3 corrected
the issue for me. Previous release also had issues with wpasupplicant and
eap-tls with RADIUS. This also seems to be fixed with
wpasupplicant 2.4-0ubuntu6.

--

Steve MacDougall

Sr. Systems/Network Administrator

647.258.3704 Direct

289.924.1086 Mobile

<email address hidden>
[image: BluePay, Inc.] <http://www.bluepay.com/>
[image: Twitter] <https://twitter.com/BluePay> [image: Linkedin]
<https://www.linkedin.com/company/bluepay-inc-> [image: Facebook]
<http://www.facebook.com/bluepayprocessing> [image: Google+]
<https://plus.google.com/+bluepay/posts> [image: YouTube]
<https://www.youtube.com/channel/UCIiHef9skKlAQUhejcFtUUg> [image: BluePay
Blog] <http://www.bluepay.com/blog>

On 8 July 2016 at 10:56, Michael Wingender <email address hidden> wrote:

> I think I hit this bug also, but I can not confirm that is not working
> with an DES3 encrypted key file.
> I have generated encrypted key files with DES, DES3, AES128, AES192,
> AES256, CAMELLIA128, CAMELLIA192, CAMELLIA256 and SEED. WPA2 Enterprise
> configuration is working with DES, DES3 and AES128. All other key files are
> not accepted.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1573720
>
> Title:
> Unencrypted private keys are insecure error reported even when key is
> encrypted
>
> Status in NetworkManager:
> Incomplete
> Status in network-manager package in Ubuntu:
> Triaged
>
> Bug description:
> When I enter an EAP-TLS wifi config, I get the error:
>
> "Unencrypted private keys are insecure
> The selected private key does not appear to be protected by a password.
> This could allow your security credentials to be compromised. Please
> select a password-protected private key.
>
> (You can password-protect your private key with openssl)"
>
> I have verified that my key is, in fact, encrypted, and I have tried
> using both des3 and aes256. I have also verified the password used to
> encrypt the key.
>
> For a while, it wouldn't even let me save the config. I managed to
> save it eventually, but now when I try to connect to the saved
> connection, I get the same error.
>
> I am on Ubuntu mate 16.04
>
> network-manager 1.1.93
>
> ProblemType: Bug
> DistroRelease: Ubuntu 16.04
> Package: network-manager 1.1.93-0ubuntu4
> ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
> Uname: Linux 4.4.0-21-generic x86_64
> ApportVersion: 2.20.1-0ubuntu2
> Architecture: amd64
> CurrentDesktop: MATE
> Date: Fri Apr 22 13:25:16 2016
> InstallationDate: Installed on 2015-08-19 (246 days ago)
> InstallationMedia: Ubuntu-MATE 15.04 "Vivid Vervet" - Release amd64
> (20150422.1)
> IpRoute:
> default via 192.168.151.254 dev eth1 proto static metric 100
> 169.254.0.0/16 dev eth1 scope link metric 1000
> 192.168.151.0/24 dev eth1 proto kernel scope link src
> 192.168.151.95 metric 100
> NetworkManager.state:
> [main]
> NetworkingEnabled=true
> WirelessEnabled=true
> WWANEnabled=true
> WimaxEnabled=true
> SourcePackage: network-manager
> UpgradeStatus...

Read more...

guStaVo ZaeRa (9ust00) wrote :

I can report the same issue in Linux Mint 18, where both the packages mentioned by Steve MacDougall are in place:

[ root ] dpkg -l wpasupplicant network-manager-gnome gz-Latitude-E7240:~
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===========================-==================-==================-============================================================
ii network-manager-gnome 1.2.0-0ubuntu0.16. amd64 network management framework (GNOME frontend)
ii wpasupplicant 2.4-0ubuntu6 amd64 client support for WPA and WPA2 (IEEE 802.11i)

This was not a problem in Linux Mint 17.3, where network-manager-gnome was in version 0.9.8.8-0ubuntu4.1-mint1, and wpasupplicant doesn't seem to be part of the default release.

Was able to implement a workaround by forcing a downgrade of network-manager-gnome:
$ sudo su -
# service network-manager stop
# dpkg --force-all -i network-manager-gnome_0.9.8.8-0ubuntu4.1-mint1_amd64.deb
# service network-manager start

it works for me! :)

guStaVo ZaeRa (9ust00) wrote :

I just want to add proof that the package was downgraded:

[ root ] dpkg -l network-manager-gnome gz-Latitude-E7240:/home/gz/Downloads
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-================================================-=============================-=============================-======================================================================================================
ii network-manager-gnome 0.9.8.8-0ubuntu4.1-mint1 amd64 network management framework (GNOME frontend)

Mark Michaelis (thragor) wrote :

I think this report is similar:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818759

The workaround there was to downgrade to version 1.0.10-1. I am currently using (just updated some minutes ago) 1.2.0-0ubuntu0.16.04.4. This does not work either.

apt-cache madison network-manager-gnome reports three available versions:

network-manager-gnome | 1.2.0-0ubuntu0.16.04.4 | affected
network-manager-gnome | 1.2.0-0ubuntu0.16.04.3 | affected
network-manager-gnome | 1.1.93-1ubuntu1 | as reported by Steve this version is also affected

According to https://wiki.gnome.org/Projects/NetworkManager there are several other versions available:

* 1.4.0 (2016-08-24)
* 1.2.4 (2016-08-03)
* 1.0.12 (2016-04-02)

The related issue https://bugzilla.gnome.org/show_bug.cgi?id=766684 reports that version 1.0.4 is working, too.

So reported to work are:

* 0.9.8.8
* 1.0.4
* 1.0.10-1

I will check which version works for me.

Mark Michaelis (thragor) wrote :

network-manager just got updated to 1.2.2 containing a fix for this bug:

https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1575614

I assume that this issue is actually a duplicate of 1575614.

As it seems it required two steps for me to fix this problem:

* Update BIOS (here: Dell Precision 5510 updated from 1.2.10 to 1.2.14)

Having this I already was able to connect to the protected WLAN... but had to ignore some nag-screens about the "unencrypted" key.

* Update network-manager to 1.2.2 (available through system update)

Private keys are now visible in the file-chooser and I get no more complaints on the "unencrypted" key.

Changed in network-manager:
status: Incomplete → Fix Released
Krzysztof Puch (kjpuchala) wrote :

I work on Ubuntu 16.04 with all recent updates, but I still keep getting a series of this same messages:

"Unencrypted private keys are insecure - The selected private key does not appear to be protected by a password."

when I edit settings to the company's WiFi:
Security:WPA Enterprise
Authentication: TLS
+ password protected key

When I "okey" through all the messages and try to connect to the WiFi - I wait some time and then get the messages all over again.

Krzysztof Puch (kjpuchala) wrote :

UPDATE:
Concerning the 2 problems I reported:
1. Displaying message "Unencrypted private keys are insecure" for a protected key - STILL HAPPENS
2. Unable to connect using a valid key file - DOESN'T HAPPEN ANY MORE

henrythung (henrythung) wrote :

The problem still exists.
Using drag and drop, I can select the private key file, but get ""Unencrypted private keys are insecure" message, and unable to click "connect" button (inactive).

Any workaround yet?

Half a year later, this problem still exists.

I am really, really angry about this one. People in my company change from ubuntu with admin rights to IT-Support controlled Windows 10 Laptop, because of this bug.

Linux on Desktops is dying in our company because of this bug! I never felt so left alone in the rain with this community like with this bug.

Still getting the message. And cannot connect to the network

As a workaround, I am able (at least on this 16.10 laptop) to configure an EAP-TLS connection with no problem by avoiding the buggy GUI network manager client and creating the network profile with the command line:

nmcli connection add \
 type wifi con-name "MySSID" ifname wifi0 ssid "MySSID" -- \
 wifi-sec.key-mgmt wpa-eap 802-1x.eap tls 802-1x.identity "USERNAME" \
 802-1x.ca-cert ~/ca.pem 802-1x.client-cert ~/cert.pem \
 802-1x.private-key-password "..." 802-1x.private-key ~/key.pem

I can now run `nmcli connection up MySSID` and connect to the network without error.

Yury Rumega (yrum) wrote :

I found a workaround for that issue. What you need to do is to change the encryption algorithm of your private key to DES, like that:

openssl rsa -des3 -in keyfile.pem -out keyfile-new.pem

Don't forget to set a passphrase, and then select the new keyfile from GUI. After that, the "Unencrypted private keys are insecure" message disappears for good.

Apparently, Network Manager does not support some kinds of encryption properly.

Vin Perothas (vinferothas) wrote :

The workaround by Yury Rumega (yrum) helped me. Thanks.
Looking forward for the permanent fix for this issue.

Valentine (ii000314) wrote :

I found another workaround. I used "nm-connection-editor" in order to configure the connection

$ sudo nm-connection-editor

Changed in network-manager (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.