WPA3-SAE support

Status changed to 'Confirmed' because the bug affects multiple users.

Indeed. 19.04 shipped with wpasupplicant 2.6, which had no support at all for WPA3, although network-manager 1.16 already started to support it. With 19.10 shipping wpasupplicant 2.9 and network-manager 1.20, there's just no excuse. I have WPA2+WPA3 mixed-mode deployed on my home network and all my connections are downgraded to WPA2.

On one side this fixes SAE / WPA3 personal support
on the other, you still can't edit or update WPA3 connections in the GUI components.
If you use nmtui or try connecting to WPA3 though, it works.
(I've tested this)

Consider upstream to be "nearing complete"

I've been working on WPA3 support on some AP series so I very much can test this. Up until now I've been using manual settings on a custom compile of wpa_supplicant (etc).

Attached is the backported patches (from networkmanager master, they're not even in any tags yet)
I'm going to keep an eye on networkmanager development and follow this report.

However I'd class support as "not yet ready".

The attachment "Backport of upstream support" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

above automated response is correct - it's three backported commits. There should be more before it's done though, so consider this "something to test things out".
The network-manager UI does not yet have SAE / WPA3 personal support in this backport, and doesn't look like that's available upstream yet - at least not in the network-manager git.

Added gnome-shell task to reflect the fact that GUI support was (will be) added in gnome-shell 3.34.1

Those fixes are in 1.20.4 which has been uploaded/is in the review queue, unsubscribing sponsors

Relevant commit made upstream:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/commit/e36c297fd8c6b1b57cd120739cc5ee8eab57aa08

Why is it incomplete? Is the current version not working without that commit?

@seb128
The Current version will not connect to WPA3-SAE secured Wi-Fi without that commit (being able to connect to WPA3-personal secured Wi-Fi is the whole point of this bug).

This is because 802.11w is mandatory for WPA3-SAE (though it can be disabled for certain configs) and NetworkManager up and until 1.20.4 passes "ieee80211w=0" (which disables 802.11w).

PMF is controlled from AP side over which - mine is always PMF required with SAE, for instance, even if it's optional for WPA-PSK on the same SSID.
(that's a configurable option)

PMF should be enabled if at all possible. PMF optional : mode 1 - recommended as long as the driver supports it, and pmf 2 - required - should be the other choice. PMF disabled is only for systems where security is not an issue or the driver is known not to function.
It should raise a security alert if PMF is disabled. (eg: warning: this reduces security considerably)

@teunis,

The point is NM (when setting WPA3-Personal as the security protocol) will ALWAYS pass "ieee80211w=0" this is NOT configurable on the client even when setting PMF=2 in the config file.

The latest commit fixes this problem and thus is kind of important to achieving the goal as set out in this bug.

Fixing PMF would be much higher priority than fixing SAE ;)
it's pretty important that behaves properly.

This bug was fixed in the package gnome-shell - 3.34.1-1ubuntu1

---------------
gnome-shell (3.34.1-1ubuntu1) eoan; urgency=medium

  * Merge with Debian. Remaining changes:
    + Replace gnome-backgrounds dep with ubuntu-wallpapers and Suggests
      gnome-themes-standard-data, gnome-backgrounds
    + Add some Recommends:
      - ubuntu-session (| gnome-session) to have the ubuntu session available
      - xserver-xorg-legacy
      - yaru-theme-gnome-shell for the default ubuntu theming
    + Update debian/gbp.conf with Ubuntu settings
    + gnome-shell-common.install: Install Ubuntu mode
    + gnome-shell-common.prerm: Remove deprecated ubuntu theme alternative
    + ubuntu/desktop_detect.patch:
      - add caching for desktop detection to avoid querying the current
        desktop env variable as iterate through the list each time. For the
        time of the Shell process, we can expect this env variable to stay
        stable.
    + ubuntu/smarter_alt_tab.patch:
      - quick alt-tab (without showing up the switcher) switch only between
        the last window of the last 2 applications to be focused instead of
        raising all windows of those apps.
    + ubuntu/lightdm-user-switching.patch:
      - Allow user switching when using LightDM.
    + ubuntu/lock_on_suspend.patch
      - Respect Ubuntu's lock-on-suspend setting.
    + ubuntu/gdm.patch
      - as gdm is system-wide and not session-wide, ensure gdm has an ubuntu
        styling by default, not impacting the gnome user session though.
    + ubuntu/background_login.patch
      - Change default background color as we modified the default GDM color
        for our ubuntu session. Change it as well here, still applying the
        background noise loading.
    + ubuntu/gdm_alternatives.patch
      - Add support for GDM3 theme alternatives
    + optional-hot-corner.patch
      - enable patch proposed by upstream developer already in package (but
        not in series) to add a settings for optional hot corner activation.
    + volume-Add-back-sound-feedback-on-scroll.patch
      - Fix regression causing missing feedback on volume slider scroll
    + main-show-an-error-message-on-gnome-shell-crash.patch,
      global-make-possible-to-set-debug-flags-dynamically.patch,
      main-increase-the-granularity-of-backtraces-in-SHELL_DEBU.patch,
      main-add-backtrace-crashes-all-and-backtrace-all.patch,
      sessionMode-add-support-for-debugFlags-parameter.patch:
      - Improve debug JS tracing for crash reports
    + st-scroll-view-Handle-the-case-where-scrollbars-are-NULL.patch,
      st-scroll-view-Remove-scrollbars-references-on-dispose.patch:
      - Fix crash on theme changes
    + ubuntu/search-call-XUbuntuCancel-method-on-providers-when-no-dat.patch:
      - stop searches when requested from UI
    + magnifier-Show-cursor-when-magnifier-is-enabled-and-scale.patch:
      - Show monitor scaled cursor when magnifier is enabled
  * Refresh patches through gbp-pq

gnome-shell (3.34.1-1) unstable; urgency=medium

  * New upstream release
    + Allow editing app folder names
    + Do not notify systemd before initialization is complete
    + Don't leak NOTIFY_SOCKET environment vari...

re fix committed : does that mean both network-manager and gnome-shell will be updated as per posted hashes?

The n-m patch has been backported and gnome-shell updated to 3.34.1, do we need another patch?

well, those running KDE (like me) will still have problems but it should solve it for many.
(Lots of reasons, but suffice the gnome shell UI is intensely counter-productive for me). Any chance of it being supported on LTS or disco?

This bug was fixed in the package network-manager - 1.20.4-2ubuntu2

---------------
network-manager (1.20.4-2ubuntu2) eoan; urgency=medium

  * debian/patches/git_wpa_sae.patch:
    - PMF can be used with SAE, allow it, fixes WPA3 handling
      (lp: #1844422)

 -- Sebastien Bacher <email address hidden> Fri, 11 Oct 2019 00:06:27 +0200

@seb128
From a functional point of view, it is working now.

I'm able to connect to my AP with WPA3-SAE/WPA3-Personal using 1.20.4-2ubuntu2 from proposed.

Although I'm unable to comment on the gnome-shell part of this bug since i'm using XFCE.

Thanks for helping out.

@Seb128,

Sorry to bother you again, but I've noticed some (at least for me) unexpected fallout from this bug.

Using Xubuntu Eoan with 20.4-2ubuntu2 from proposed.

When connecting to my Wi-Fi network (which is set to WPA2/WPA3 mixed mode) using NM-Applet (the GUI not NMTUI) it will show the authn dialog but the Wi-Fi password field is missing.

I've attached a screenshot depicting the Issue.

If I'm not mistaken, the following commit fixes this issue:
https://gitlab.gnome.org/GNOME/network-manager-applet/commit/1272e7fa2e976ac5db6352302962aba439ce6dd7

So there's a bit more work to this than i stated yesterday:
https://gitlab.gnome.org/GNOME/network-manager-applet/commits/master?utf8=%E2%9C%93&search=sae

Did it work before? Or is that just that the new mode doesn't fully work with the applet UI (where it works in gnome-shell)?

It didn't work before, the password field being 'missing in action' is something that started when I enabled WPA3 on my AP/Router and has persisted.

I think WPA3 in general doesn't fully work with NM-Applet as of yet.

I am able to connect using WPA3 via via NMTUI, after which NM-Applet, for instance, shows Security as "None".

Ok, thanks, that's not a regression then if it was simply not working before. Better if you open a new bug report since the one described there has been fixed (WPA3 support landed and is working in Ubuntu's default desktop)

@Seb128
Alright, thank you for you guidance, I'll open a new bug for NM-Applet