NM doesnt allow to configure phase2 certificate for wpasupplicant (Was: Fail to connect with TLS and client certificate)

Bug #284409 reported by Björn Torkelsson on 2008-10-16
34
This bug affects 6 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: network-manager

I fail to connect to the University Eduroam wireless network with TLS and a client certificate.

wpa_supplicant says it can't verify the certificate so that may be part of the problem:

Trying to associate with 00:12:44:b1:e2:1f (SSID='eduroam' freq=5220 MHz)
Authentication with 00:12:44:b1:e2:1f timed out.
CTRL-EVENT-SCAN-RESULTS
Trying to associate with 00:12:44:b1:e2:10 (SSID='eduroam' freq=2462 MHz)
Associated with 00:12:44:b1:e2:10
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2 for '/C=US/O=GTE Corporation/OU=GTE
CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2 for '/C=US/O=GTE Corporation/OU=GTE
CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2 for '/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
Authentication with 00:00:00:00:00:00 timed out.

ProblemType: Bug
Architecture: amd64
DistroRelease: Ubuntu 8.10
NonfreeKernelModules: openafs
Package: network-manager 0.7~~svn20081015t224738-0ubuntu1
ProcEnviron:
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
 LANG=en_DK.UTF-8
 SHELL=/bin/bash
 LC_NUMERIC=en_US.UTF-8
SourcePackage: network-manager
Uname: Linux 2.6.27-7-generic x86_64

Björn Torkelsson (torkel) wrote :
Alexander Sack (asac) wrote :

15:46 < asac> torkel: TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2
15:46 < asac> torkel: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
15:46 < asac> so your CA appears to be not known
15:48 < asac> torkel: http://www.madboa.com/geek/openssl/#verify-standard
15:48 < asac> torkel: can you try that?

Changed in network-manager:
status: New → Incomplete
Björn Torkelsson (torkel) wrote :

$ openssl verify -verbose -CAfile umueduroamca.pem umu_eduroam_bjto0001.pem
umu_eduroam_bjto0001.pem: OK

So, yes the certificate is OK.

However if I remove the CA certificate (I still have it in /etc/ssl/certs though) it seems to be working (I will test more tomorrow).

When trying to readd the CA certificate in the n-m connection manager I get the following error:

Updating connection failed: client cert

Alexander Sack (asac) wrote :

latest comments in bug 272185 look similar. thats about wireless + tls (EAP). i think

Alexander Sack (asac) wrote :

ok. as you commented in 272185, this is a dupe. lets continue there.

Changed in network-manager:
status: Incomplete → Triaged
Alberto (apedraza) wrote :

Alexander, I don't think that this bug is the same as 272185. It might be related but it is not the same.

I have the problem that when setting up an WPA2/EAP/TLS network in nm 0.7, I get an error when I try to save the setup.

The error is in the wireless security tab. After completing the login information, selecting the 3 certificates (user cert, Ca cert and PK cert) and specifying the private key password. I press OK and I get: Updating Connection Failed: client-cert.

This has been happening since nm 0.7 in hardy when I was testing this summer. It continues to this day.

Alberto (apedraza) wrote :

Ok. I checked again. The bug on the gui only happens when you try to edit the settings already in place. It does not happen when you first create the eap network.

Kartoch (kartoch) wrote :

I'm not sure it's really solved.

If I try to connect with a fresh setup from the network manager gui, it works but /var/log/wpa_supplicant.log contains:

CTRL-EVENT-SCAN-RESULTS
Associated with 00:1e:be:a7:f6:90
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0)
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
WPA: Key negotiation completed with 00:1e:be:a7:f6:90 [PTK=TKIP GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 00:1e:be:a7:f6:90 completed (reauth) [id=0 id_str=]

So it seems it didn't succeed to validate the certificate... but it continues (dangerous)

If I try to update the settings, it doesn't work because of a self-certificate in the certificate chain:

Associated with 00:1e:be:a8:38:20
CTRL-EVENT-SCAN-RESULTS
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2 for '/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys

So my hypothesis is that we have two bugs:

- one with no validation of certificate when settings are new
- one with strange validation of root certificate (of course it's a self certfiicate ! ;-)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers