[SRU]Can't select p12 secret key for TLS auth for 802.1X authentication

Bug #1575614 reported by Arkady on 2016-04-27
110
This bug affects 21 people
Affects Status Importance Assigned to Milestone
NetworkManager
Fix Released
Medium
network-manager (Ubuntu)
Medium
Unassigned
Xenial
Low
Aron Xu
network-manager-applet (Ubuntu)
High
Aron Xu
Xenial
High
Aron Xu

Bug Description

[Impact]

Users cannot select TLS certificate when connecting to a network that requires TLS type 802.1X authentication

[Test case]
STR:
1. Click on Connections icon in status panel
2. Click on Edit connections
3. Select Wired connection
4. Go to 802.1x tab
5. Check the Use 802.1X checkbox
6. Choose TLS
7. Click on Secret key button
8. In file chooser navigate to the folder where key is located and try to select key file - the list is empty

For wifi connection:
1. Click on Connections icon in status panel
2. Click on Edit connections
3. Select Wi-Fi connection
4. Go to Wi-Fi Security tab
5. Select WPA & WPA2 Enterprise in the drop-down list
6. Choose TLS
7. Click on (None) next to Private key
8. In file chooser navigate to the folder where key is located and try to select key file - the list is empty

[Regression Potential]
The fix is quite straight forward and the possibility of causing regression is limited.

Ervin (ervin-kamberoski) wrote :

Hello Arcady,

Would you mind sharing the procedure you used to configure the network manually with wpa_supplicant?

Thank you.

Ervin

Arkady (arkann1985) wrote :

Hello Ervin,

Sure. Here are the steps I used to configure wired connection:
1. place your certificate, CA certificate and secret key files in some directory (in my case it is ~/.certs)
2. create file /etc/wpa_supplicant/wired.conf using sudo with the following content:

ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
ap_scan=0
network={
eapol_flags=0
key_mgmt=IEEE8021X
eap=TLS
identity="<username>@<domain>"
ca_cert="/home/<user>/.certs/<ca_cert>.pem"
client_cert="/home/<user>/.certs/<certificate>.crt"
private_key="/home/<user>/.certs/<private_key>.pem"
private_key_passwd="<password>"
}

3. test wpa_supplicant with the following commands:
sudo wpa_supplicant -c /etc/wpa_supplicant/wired.conf -i eth<N> -B -D wired
sudo dhclient eth<n>

If internet now works then proceed to the next step

4. add the following lines to file /etc/network/interfaces
auto eth<N>
iface eth<N> inet dhcp
    pre-up wpa_supplicant -c/etc/wpa_supplicant/wired.conf -ieth<N> -D wired -B > /var/log/ifup_wpa1.log 2> /var/log/ifup_wpa2.log

For wireless network wpa_supplicant config file should be like:

ctrl_interface=/var/run/wpa_supplicant
        ctrl_interface_group=0
        eapol_version=1
        ap_scan=1
        fast_reauth=1
network={
        ssid="<network_ssid>"
        scan_ssid=1
        key_mgmt=WPA-EAP
        proto=WPA2
        pairwise=CCMP
        group=CCMP
        eap=TLS
        identity="<username>@<domain>"
        ca_cert="/home/<user>/.certs/<ca_cert>.pem"
        client_cert="/home/<user>/.certs/<certificate>.crt"
        private_key="/home/<user>/.certs/<private_key>.pem"
        private_key_passwd="<password>"
        priority=1
        }

Ervin (ervin-kamberoski) wrote :

Arcady, thank you for your help! I succeeded to get it working.

Best Regards,

Ervin

Mat (mathieu-lemaitre) wrote :

same problem here, for a wifi eap-tls connection: I can't select the private key, the list is empty

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
Konstal (konni33100) wrote :

I can confirm this problem. The secret key wont show up in the file selector. The file format (.key, .pem or .p12) does not matter.

Another Problem is: When a ca-cert file is selected and a password is being typed in, the network create dialog crashes.

summary: - Can't select secret key for TLS auth on wired connection
+ Can't select secret key for TLS auth on wired or wifi connection
Konstal (konni33100) on 2016-05-17
tags: added: wifi
tags: removed: wifi

This bug prevents me from connecting to eduroam university wifi connection.

Konstal (konni33100) on 2016-05-17
description: updated
Konstal (konni33100) on 2016-05-19
affects: network-manager-openvpn (Ubuntu) → network-manager-applet (Ubuntu)
Konstal (konni33100) wrote :

Hello Arkady,

the bug is located at the network-manager-applet package, because it is handling the TLS settings applet.

Here is a workaround to see all files in the file selector. This is not a complete fix.

1. Make sure you can download source packages. See more information here: http://askubuntu.com/questions/28372/how-do-i-get-and-modify-the-source-code-of-packages-installed-through-apt-get

2. Open commandline, create an empty folder and 'cd' to it.

3. Get the source code of the package:
apt-get source network-manager-gnome

4. Apply the patch attached to this comment, first download the patch file to current folder, then:
patch < file-selector-workaround.patch

5. Get build dependencies for this package:
sudo apt-get build-dep network-manager-gnome

6. Build package with workaround:
cd network-manager-applet-1.2.0
dpkg-buildpackage -rfakeroot -uc -b

7. Install modified package:
cd ..
sudo dpkg -i network-manager-gnome_1.2.0-0ubuntu0.16.04.1_amd64.deb

8. Reboot and now the file selector will show the key files for wifi and wired configuration.

The attachment "workaround patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Sebastien Bacher (seb128) wrote :

Thank you for your bug report, indeed that's a bug and it has been reported/fixed upstream

n-m commit
https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=9a37d1d970bf5bf1aab35468aabccb8cbfe2a39b

n-m-applet one
https://git.gnome.org/browse/network-manager-applet/commit/?h=nma-1-2&id=037c5721d89b20c46ecc53e05d9867fd4d969412

bug
https://bugzilla.gnome.org/show_bug.cgi?id=763578

Aron, can you make sure the fix is part of the next xenial SRU round?

Changed in network-manager-applet (Ubuntu):
importance: Undecided → High
status: Confirmed → In Progress
assignee: nobody → Aron Xu (happyaron)
Changed in network-manager-applet:
importance: Unknown → Medium
status: Unknown → Fix Released
Sebastien Bacher (seb128) wrote :
Changed in network-manager-applet (Ubuntu):
status: In Progress → Fix Released
Sebastien Bacher (seb128) wrote :

SRU is in the review queue as well

Aron Xu (happyaron) on 2016-05-25
summary: - Can't select secret key for TLS auth on wired or wifi connection
+ [SRU]Can't select secret key for TLS auth for 802.1X authentication
Aron Xu (happyaron) on 2016-05-25
description: updated
Changed in network-manager-applet (Ubuntu Xenial):
assignee: nobody → Aron Xu (happyaron)
importance: Undecided → High
status: New → In Progress

Hello Arkady, or anyone else affected,

Accepted network-manager-applet into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network-manager-applet/1.2.0-0ubuntu0.16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in network-manager-applet (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed

I update network-manager-gnome to the latest version 1.2.0-0ubuntu0.16.04.2 from proposed repository. Now I can select only .p12 files, .pem files still not showing. Should I do something else?

Arkady (arkann1985) on 2016-05-26
tags: added: verification-failed
removed: verification-needed
Mat (mathieu-lemaitre) wrote :

i've tested the new version, but I can't select my private key either. it's a .key file in my case.

Hello Arkady, or anyone else affected,

Accepted network-manager-applet into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network-manager-applet/1.2.0-0ubuntu0.16.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: removed: verification-failed
tags: added: verification-needed

Hallo Adam,

thank you very much for your work!
I tested the new version, but the bug is still not solved.
However, I can select a key, but not with the ending PEM.

So, I think version 1.2.0-0ubuntu0.16.04.3 has to be fixed again.

Aron Xu (happyaron) wrote :

I'm setting this report to verification-done, because the problem is fixed:

1. Previously, if you create a connection from the menu instead of connecting to an SSID that's listed in the discovered Wi-Fi, and select the encryption method, WPA/WPA2 Enterprise is inactive (listed but cannot be selected).
2. This is not presented the same way when connecting to a discovered SSID, but user is not able to connect any 802.1X connection because support for such type of encryption is inactive.
3. After installing the update, creation of 802.1X connections are possible. <-- So the bug is fixed.
4. Some of the keys or certs could not be selected due to the reason of the file's extension name, like .key file, but this is not a problem this fix targets to.

tags: added: verification-done
removed: verification-needed
Arkady (arkann1985) wrote :

Aron Xu, if you read original issue description you will find that the problem is you can't select certificate file because file chooser (list of files) is empty. It is absolutely not related to inactive "WPA/WPA2 Enterprise" option. And this issue exists for wired connection also.

Arkady (arkann1985) wrote :

I checked latest package 1.2.0-0ubuntu0.16.04.3 and problem still exists. It is impossible to select .pem secret key file for TLS auth type.

tags: added: verification-failed
removed: verification-done
Aron Xu (happyaron) wrote :

@arkann1985,

That's another issue, but true they looks very similar. Without the current update, if you are connecting to a discovered SSID then the properties can show-up but you aren't able to select any certificate/key file, if it's not discovered by manually added then the encryption type is not able to be selected.

The problem you can reproduce is which extension is shown in the list... Would you mind to open another report?

tags: added: verification-done
removed: verification-failed
Arkady (arkann1985) wrote :

Of course I can open another report but STR of current report shows:
1. Click on Connections icon in status panel
2. Click on Edit connections
3. Select Wired connection
4. Go to 802.1x tab
5. Check the Use 802.1X checkbox
6. Choose TLS
7. Click on Secret key button
8. In file chooser navigate to the folder where key is located and try to select key file - the list is empty

So it is not related to WIFI only or discovered or not discovered network. Exactly this STR is still reproduced. Step 8 still failed. Are you sure that I should open new report? I will created it with exactly same STR.

Aron Xu (happyaron) wrote :

Probably not exactly the same steps to reproduce if you want to be precise - the original was saying nothing is listed, that was led by 802.1X support is missing unexpectedly, but now some of the file types can be selected - namely .p12 keys and .pem certs...

Arkady (arkann1985) wrote :

I can select only .p12 files. .pem files is not listed. Ok, I'll create new report.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager-applet - 1.2.0-0ubuntu0.16.04.3

---------------
network-manager-applet (1.2.0-0ubuntu0.16.04.3) xenial; urgency=medium

  * debian/patches/apple-set-out_icon_name-for-WWAN-connections-for-ind.patch:
    use available gsm-3g-* icons so that the icon for mobile is different than
    that used for wifi; to avoid confusing people. (LP: #1571574)

network-manager-applet (1.2.0-0ubuntu0.16.04.2) xenial; urgency=medium

  * cherry-pick upstream patches from post 1.2.2:
    - wireless-security-fix-failed-assertion-in-default_fi.patch:
      Fix TLS cert authentication (LP: #1575614)
    - wireless-security-return-error-on-eap_method_validat.patch:
      Return error on eap_method_validate_filepicker() failure
    - applet-remove-assert-s_con-from-applet_get_active_vp.patch
      Remove the assert which lead to many false assertions (LP: #1578962)
    - apple-set-out_icon_name-for-WWAN-connections-for-ind.patch
      WWAN icon should appear when the connection is activated (LP: #1571574)

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 01 Jun 2016 15:15:49 -0400

Changed in network-manager-applet (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for network-manager-applet has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Aron Xu (happyaron) on 2016-06-21
Changed in network-manager (Ubuntu):
status: New → Fix Released
Changed in network-manager (Ubuntu Xenial):
status: New → Triaged
Changed in network-manager (Ubuntu Xenial):
assignee: nobody → Aron Xu (happyaron)
importance: Undecided → Low
Aron Xu (happyaron) on 2016-06-23
tags: added: desktop-trello-import

Still can't select private key for new Ethernet Connection -> 802.1x Security:
Authentication TLS

ii network-manager-gnome 1.2.0-0ubuntu0.16.04.3

tomuk5 (tomuk5) wrote :

Still not working here either, same problem:

ii network-manager-gnome 1.2.0-0ubuntu0.16.04.3

tomuk5 (tomuk5) on 2016-08-08
tags: added: verification-failed
removed: verification-done
Arkady (arkann1985) wrote :

Confirm. Not working. Here is another opened report: https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1592717. Don't know why it is not listed in duplicates of this bug.

tomuk5 (tomuk5) wrote :

my experience differs from 1592717 in that no files of any type (der/pem/p12/key) are visible in the "choose your private key" file navigator window.

this matches the original symptoms of this bug.

iv tried all key file types/formats but still cannot see the key file in the browser to select it for the wireless profile.

Hello Arkady, or anyone else affected,

Accepted network-manager into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/network-manager/1.2.2-0ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in network-manager (Ubuntu Xenial):
status: Triaged → Fix Committed
tags: removed: verification-failed
tags: added: verification-needed
Changed in network-manager (Ubuntu):
importance: Undecided → Medium
affects: network-manager-applet → network-manager

Still can't select my private key. Only .p12 files are listed in file selector. However .pem files also exists in this folder. See attached screenshot.

tags: added: verification-failed
removed: verification-needed
Arkady (arkann1985) wrote :

Attached another one screenshot with ls output.

Aron Xu (happyaron) wrote :

@arkann1985, it does work for me when selecting the certificate, can you describe more about how did you reproduce the problem?

Arkady (arkann1985) wrote :

@happyaron, the STR is exactly like in bag description. I have a folder ".certs" in my home dir. In this folder I have some files. The extension of this files are: ".pem", ".crt" and ".p12".

Installed version of network-manager is: 1.2.2-0ubuntu0.16.04.1

I try to configure TLS for my wired connectino. I go through original STR, press "Secret key" button, in file chooser window I navigate to ".certs" folder and there is only ".p12" file is listed. Files with ".pem" extension are not listed and I'm unable to select my private key. The name of my private key file is "key.pem".

I'm ready to help with testing asap.

Aron Xu (happyaron) wrote :

@arkann1985, I wonder what's the version of your network-manager-gnome package?

Arkady (arkann1985) wrote :

@happyaron, network-manager-gnome version: 1.2.0-0ubuntu0.16.04.3
I installed only network-manager package from proposed.

Amr Ibrahim (amribrahim1987) wrote :

Arkady, please update to network-manager-gnome 1.2.0-0ubuntu0.16.04.4 (in xenial-updates since 2016-09-06) and try to verify this bug again.

If you can't update using Software Updater, use the terminal:
sudo apt update
sudo apt full-upgrade

Fedor (raigfp) wrote :

As a workaround, you can drag and drop your private key directly from Files (Nautilus)

Arkady (arkann1985) wrote :

Amr Ibrahim, updated all available packages from proposed repository. My network-manager-gnome version is now 1.2.0-0ubuntu0.16.04.4. Still can't select private key.

Fedor, the provided workaround seems to be working. But there is strange message appears that says that my private key is not protected by password. But it is not true, my key is protected. And entered private key password works well. Workaround works well for wired and wifi connections.

Aron Xu (happyaron) wrote :

@all, I'm amending this SRU to only .p12 files for which is confirmed working to allow the fix land in -updates, and opened Bug #1627903 for follow-ups of other types key files.

summary: - [SRU]Can't select secret key for TLS auth for 802.1X authentication
+ [SRU]Can't select p12 secret key for TLS auth for 802.1X authentication
Aron Xu (happyaron) on 2016-09-27
tags: added: verification-done verification-done-xenial
removed: verification-failed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager - 1.2.2-0ubuntu0.16.04.1

---------------
network-manager (1.2.2-0ubuntu0.16.04.1) xenial; urgency=medium

  * Rebase to upstream 1.2.2 release, patches: (LP: #1589557)
    - dnsmasq-vpn-dns-filtering.patch: updated
    - nm-change-dnsmasq-parameters.diff: updated
    - 0001-dns-use-DBus-to-make-dnsmasq-nameserver-changes.patch: dropped
    - lp1574347-re-read-link-type-if-the-name-changed.diff: dropped
    - libnm-Check-self-still-NMManager-or-not.patch: (LP: #1582301)
    - libnm-don-t-require-initialized-out_encrypted-argume.patch:
      (LP: #1575614)

 -- Aron Xu <email address hidden> Sat, 04 Jun 2016 18:27:47 +0800

Changed in network-manager (Ubuntu Xenial):
status: Fix Committed → Fix Released
MK (m-m-kacik) wrote :

I installed fresh Ubuntu 16.04, with network manager 1.2.2-0ubuntu0.16.04.1 and can still repro the issue - none of my p12 encrypted keys are showing up in the list. After dragging and dropping the key as suggested, I get message about "Unencrypted private keys being insecure". Any additional workarounds?

Krzysztof Puch (kjpuchala) wrote :

Same for me for the same Ubuntu and NM version.

Fedor (raigfp) wrote :

MK, you can just skip the message

The message pops up like 20 times. Real fun to "just skip them".

The bug still occures within my machine. Wlan can not connect to WPA2 Enterprise. I got lots of "Unencrypted private keys are not secure."- messages, though my private key is encrypted. Network-manager is version 1.2.2-0ubuntu0.16.04.1.

SergeyMtv (sem-c) wrote :

Fresh installed 16.04.1 with updates:
network-manager/xenial-proposed,now 1.2.4-0ubuntu0.16.04.01 amd64
network-manager-gnome/xenial-updates,now 1.2.0-0ubuntu0.16.04.4 amd64

I confirm the bug. I see an empty list when try to select private key file (privkey.pem) in 802.1x tab.
The above mentioned workaround with dran&drop from nautilus works with warning message about empty password (wrong).

Network-Manager Version 1.2.2-0ubuntu0.16.04.4
Linux Mint 18.1 based on Ubuntu 16.04

Same Problem.

*.key File is invisible in the gui....

Bryan Wright (catselbow) wrote :

Has there been any progress on this bug? The spurious "unencrypted keys" message persists even in network-manager-gnome 1.2.6-0ubuntu0.16.04.

Chewie (hannes-woelfler) wrote :

Hi all

I just stumpled accross the very same issue
At the moment i run network manager version:
network-manager-gnome 1.2.6-0ubuntu0.16.04.4

so it should be fixed -> but I was unable to select my key..

I exported the key following and old HowTo to get wlan running in a linux pc as the company is running windows domains with wpa2 enterprise ..

pfx=my_exported_cert.pfx

        openssl pkcs12 -in $pfx -out cacert.pem -cacerts -nokeys
        openssl pkcs12 -in $pfx -out cert.pem -clcerts -nokeys
        openssl pkcs12 -in $pfx -out key.pem -nocerts

that generated all files required -> prior to that I had to request a new cert with exportable private keys on a windows pc ..

key resulting key.pem was:
file key.pem
key.pem: ASCII text

with header of:
Bag Attributes
    localKeyID: 01 00 00 00
    Microsoft CSP Name: Microsoft Strong Cryptographic Provider
    friendlyName: le-Auth_Ses_ClientUser_KNAPPD-0485e131-adac-48b4-bd80-417a8495e1f3
Key Attributes
    X509v3 Key Usage: 80
-----BEGIN ENCRYPTED PRIVATE KEY-----

And I think that was the issue with this key:

After converting the key to RSA format it worked for me and network manager detected it !.

openssl rsa -in key.pem -out secure.key.key
file secure.key.key
secure.key.key: PEM RSA private key

And now i an running my WPA2 enterprise WLAN :)

regards
Chewie

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.