WPA3-SAE support

Bug #1844422 reported by Giraffe
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
gnome-shell (Ubuntu)
Wishlist
Unassigned
network-manager (Ubuntu)
Wishlist
Unassigned

Bug Description

After some user feedback WPA3 support for NetworkManager has been finalized upstream:

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/e1608030c6614d8dfd86122e9df81fdaad9453c9

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/84a86ce55f1e70cb32217d2c74242ff848db8cd7

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/merge_requests/276/diffs?commit_id=8d4497088fff562773b9c05260e810833bfc9c85

At this time NetworkManager will not associate with Wifi-networks using WPA3.
Tested using Ubuntu Ubuntu Eoan Ermine [development branch] with NetworkManager 1.20.2-1ubuntu1 and WPA_Supplicant 2:2.9-1ubuntu1.

It would be great if the aforementioned commits where backported to Eoan before release, so that Eoan based systems will associate with WiFi-networks using WPA3.

==========================================================================
Update 09-10-2019:
So it has come to my attention that NetworkManager needs one additional commit backported from upstream to make WPA3-SAE work:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/e36c297fd8c6b1b57cd120739cc5ee8eab57aa08

Without this latest commit connecting to WPA3-personal networks will still fail because of a lack of 802.11w support in the network-manager settings.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager (Ubuntu):
status: New → Confirmed
Revision history for this message
Rui Salvaterra (rsalvaterra) wrote :

Indeed. 19.04 shipped with wpasupplicant 2.6, which had no support at all for WPA3, although network-manager 1.16 already started to support it. With 19.10 shipping wpasupplicant 2.9 and network-manager 1.20, there's just no excuse. I have WPA2+WPA3 mixed-mode deployed on my home network and all my connections are downgraded to WPA2.

Giraffe (dodger-forum)
description: updated
Giraffe (dodger-forum)
summary: - WPA3-support
+ WPA3-SAE support
Revision history for this message
Teunis Peters (teunis) wrote :

On one side this fixes SAE / WPA3 personal support
on the other, you still can't edit or update WPA3 connections in the GUI components.
If you use nmtui or try connecting to WPA3 though, it works.
(I've tested this)

Consider upstream to be "nearing complete"

I've been working on WPA3 support on some AP series so I very much can test this. Up until now I've been using manual settings on a custom compile of wpa_supplicant (etc).

Attached is the backported patches (from networkmanager master, they're not even in any tags yet)
I'm going to keep an eye on networkmanager development and follow this report.

However I'd class support as "not yet ready".

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Backport of upstream support" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Teunis Peters (teunis) wrote :

above automated response is correct - it's three backported commits. There should be more before it's done though, so consider this "something to test things out".
The network-manager UI does not yet have SAE / WPA3 personal support in this backport, and doesn't look like that's available upstream yet - at least not in the network-manager git.

Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Added gnome-shell task to reflect the fact that GUI support was (will be) added in gnome-shell 3.34.1

Changed in gnome-shell (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
tags: added: fixed-in-3.34.1 fixed-upstream
Changed in gnome-shell (Ubuntu):
importance: Medium → Wishlist
Revision history for this message
Sebastien Bacher (seb128) wrote :

Those fixes are in 1.20.4 which has been uploaded/is in the review queue, unsubscribing sponsors

Changed in network-manager (Ubuntu):
status: Confirmed → Fix Committed
importance: Undecided → Wishlist
Revision history for this message
Giraffe (dodger-forum) wrote :
Giraffe (dodger-forum)
description: updated
Changed in network-manager (Ubuntu):
status: Fix Committed → Incomplete
Revision history for this message
Sebastien Bacher (seb128) wrote :

Why is it incomplete? Is the current version not working without that commit?

Revision history for this message
Giraffe (dodger-forum) wrote :

@seb128
The Current version will not connect to WPA3-SAE secured Wi-Fi without that commit (being able to connect to WPA3-personal secured Wi-Fi is the whole point of this bug).

This is because 802.11w is mandatory for WPA3-SAE (though it can be disabled for certain configs) and NetworkManager up and until 1.20.4 passes "ieee80211w=0" (which disables 802.11w).

Revision history for this message
Teunis Peters (teunis) wrote :

PMF is controlled from AP side over which - mine is always PMF required with SAE, for instance, even if it's optional for WPA-PSK on the same SSID.
(that's a configurable option)

PMF should be enabled if at all possible. PMF optional : mode 1 - recommended as long as the driver supports it, and pmf 2 - required - should be the other choice. PMF disabled is only for systems where security is not an issue or the driver is known not to function.
It should raise a security alert if PMF is disabled. (eg: warning: this reduces security considerably)

Revision history for this message
Giraffe (dodger-forum) wrote :

@teunis,

The point is NM (when setting WPA3-Personal as the security protocol) will ALWAYS pass "ieee80211w=0" this is NOT configurable on the client even when setting PMF=2 in the config file.

The latest commit fixes this problem and thus is kind of important to achieving the goal as set out in this bug.

Revision history for this message
Teunis Peters (teunis) wrote :

Fixing PMF would be much higher priority than fixing SAE ;)
it's pretty important that behaves properly.

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.1 KiB)

This bug was fixed in the package gnome-shell - 3.34.1-1ubuntu1

---------------
gnome-shell (3.34.1-1ubuntu1) eoan; urgency=medium

  * Merge with Debian. Remaining changes:
    + Replace gnome-backgrounds dep with ubuntu-wallpapers and Suggests
      gnome-themes-standard-data, gnome-backgrounds
    + Add some Recommends:
      - ubuntu-session (| gnome-session) to have the ubuntu session available
      - xserver-xorg-legacy
      - yaru-theme-gnome-shell for the default ubuntu theming
    + Update debian/gbp.conf with Ubuntu settings
    + gnome-shell-common.install: Install Ubuntu mode
    + gnome-shell-common.prerm: Remove deprecated ubuntu theme alternative
    + ubuntu/desktop_detect.patch:
      - add caching for desktop detection to avoid querying the current
        desktop env variable as iterate through the list each time. For the
        time of the Shell process, we can expect this env variable to stay
        stable.
    + ubuntu/smarter_alt_tab.patch:
      - quick alt-tab (without showing up the switcher) switch only between
        the last window of the last 2 applications to be focused instead of
        raising all windows of those apps.
    + ubuntu/lightdm-user-switching.patch:
      - Allow user switching when using LightDM.
    + ubuntu/lock_on_suspend.patch
      - Respect Ubuntu's lock-on-suspend setting.
    + ubuntu/gdm.patch
      - as gdm is system-wide and not session-wide, ensure gdm has an ubuntu
        styling by default, not impacting the gnome user session though.
    + ubuntu/background_login.patch
      - Change default background color as we modified the default GDM color
        for our ubuntu session. Change it as well here, still applying the
        background noise loading.
    + ubuntu/gdm_alternatives.patch
      - Add support for GDM3 theme alternatives
    + optional-hot-corner.patch
      - enable patch proposed by upstream developer already in package (but
        not in series) to add a settings for optional hot corner activation.
    + volume-Add-back-sound-feedback-on-scroll.patch
      - Fix regression causing missing feedback on volume slider scroll
    + main-show-an-error-message-on-gnome-shell-crash.patch,
      global-make-possible-to-set-debug-flags-dynamically.patch,
      main-increase-the-granularity-of-backtraces-in-SHELL_DEBU.patch,
      main-add-backtrace-crashes-all-and-backtrace-all.patch,
      sessionMode-add-support-for-debugFlags-parameter.patch:
      - Improve debug JS tracing for crash reports
    + st-scroll-view-Handle-the-case-where-scrollbars-are-NULL.patch,
      st-scroll-view-Remove-scrollbars-references-on-dispose.patch:
      - Fix crash on theme changes
    + ubuntu/search-call-XUbuntuCancel-method-on-providers-when-no-dat.patch:
      - stop searches when requested from UI
    + magnifier-Show-cursor-when-magnifier-is-enabled-and-scale.patch:
      - Show monitor scaled cursor when magnifier is enabled
  * Refresh patches through gbp-pq

gnome-shell (3.34.1-1) unstable; urgency=medium

  * New upstream release
    + Allow editing app folder names
    + Do not notify systemd before initialization is complete
    + Don't leak NOTIFY_SOCKET environment vari...

Read more...

Changed in gnome-shell (Ubuntu):
status: Triaged → Fix Released
Changed in network-manager (Ubuntu):
status: Incomplete → Fix Committed
Revision history for this message
Teunis Peters (teunis) wrote :

re fix committed : does that mean both network-manager and gnome-shell will be updated as per posted hashes?

Revision history for this message
Sebastien Bacher (seb128) wrote :

The n-m patch has been backported and gnome-shell updated to 3.34.1, do we need another patch?

Revision history for this message
Teunis Peters (teunis) wrote :

well, those running KDE (like me) will still have problems but it should solve it for many.
(Lots of reasons, but suffice the gnome shell UI is intensely counter-productive for me). Any chance of it being supported on LTS or disco?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager - 1.20.4-2ubuntu2

---------------
network-manager (1.20.4-2ubuntu2) eoan; urgency=medium

  * debian/patches/git_wpa_sae.patch:
    - PMF can be used with SAE, allow it, fixes WPA3 handling
      (lp: #1844422)

 -- Sebastien Bacher <email address hidden> Fri, 11 Oct 2019 00:06:27 +0200

Changed in network-manager (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Giraffe (dodger-forum) wrote :

@seb128
From a functional point of view, it is working now.

I'm able to connect to my AP with WPA3-SAE/WPA3-Personal using 1.20.4-2ubuntu2 from proposed.

Although I'm unable to comment on the gnome-shell part of this bug since i'm using XFCE.

Thanks for helping out.

Revision history for this message
Giraffe (dodger-forum) wrote :

@Seb128,

Sorry to bother you again, but I've noticed some (at least for me) unexpected fallout from this bug.

Using Xubuntu Eoan with 20.4-2ubuntu2 from proposed.

When connecting to my Wi-Fi network (which is set to WPA2/WPA3 mixed mode) using NM-Applet (the GUI not NMTUI) it will show the authn dialog but the Wi-Fi password field is missing.

I've attached a screenshot depicting the Issue.

If I'm not mistaken, the following commit fixes this issue:
https://gitlab.gnome.org/GNOME/network-manager-applet/commit/1272e7fa2e976ac5db6352302962aba439ce6dd7

Revision history for this message
Giraffe (dodger-forum) wrote :
Revision history for this message
Sebastien Bacher (seb128) wrote :

Did it work before? Or is that just that the new mode doesn't fully work with the applet UI (where it works in gnome-shell)?

Revision history for this message
Giraffe (dodger-forum) wrote :

It didn't work before, the password field being 'missing in action' is something that started when I enabled WPA3 on my AP/Router and has persisted.

I think WPA3 in general doesn't fully work with NM-Applet as of yet.

I am able to connect using WPA3 via via NMTUI, after which NM-Applet, for instance, shows Security as "None".

Revision history for this message
Sebastien Bacher (seb128) wrote :

Ok, thanks, that's not a regression then if it was simply not working before. Better if you open a new bug report since the one described there has been fixed (WPA3 support landed and is working in Ubuntu's default desktop)

Revision history for this message
Giraffe (dodger-forum) wrote :

@Seb128
Alright, thank you for you guidance, I'll open a new bug for NM-Applet

no longer affects: network-manager-applet (Ubuntu)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments