Ubuntu
network-manager package

network manager (WPA-EAP TLS) fails - can't use CA certificate

Bug #293238 reported by LarryGrover
26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Binary package hint: network-manager

I'm opening this bug at the request of Alexander Sack (see bug # 272185). I originally reported this issue under bug 272185, but it seems like my issue may be a different bug.

My wireless card is an Intel 3945 (iwl3945 module), but I have the same isue if I use a ZD1211 USB wireless card, so I don't believe this is a driver/kernel bug. Because wpa_supplicant from the command line works OK (see below), I think this is a network-manager issue. I am running 8.10 (Intrepid) with all updates applied.

If I include my CA cert in the network-manger applet configuration, I cannot connect to my university's wireless network (WPA-EAP TLS). If I remove the CA cert from the applet configuration, then I am able to connect.

From wpa_supplicant.log, when I try to connect using the CA cert:

CTRL-EVENT-SCAN-RESULTS
Associated with 00:18:74:c7:da:31
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2 for '/DC=edu/DC=marshall/CN=Marshall University Root CA'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2 for '/DC=edu/DC=marshall/CN=Marshall University Root CA'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2 for '/DC=edu/DC=marshall/CN=Marshall University Root CA'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
CTRL-EVENT-EAP-FAILURE EAP authentication failed

From wpa_supplicant.log after I remove the CA cert:

CTRL-EVENT-SCAN-RESULTS
Trying to associate with 00:18:74:c7:da:31 (SSID='MU WiFi' freq=2462 MHz)
Authentication with 00:18:74:c7:da:31 timed out.
CTRL-EVENT-SCAN-RESULTS
Trying to associate with 00:18:74:f8:1e:b1 (SSID='MU WiFi' freq=2462 MHz)
Associated with 00:18:74:f8:1e:b1
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0)
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
WPA: Key negotiation completed with 00:18:74:f8:1e:b1 [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:18:74:f8:1e:b1 completed (auth) [id=0 id_str=]

If I use wpa_supplicant from the command line, then I am able to connect even when using my CA cert. My wpa_supplicant.conf:

# WPA-EAP/CCMP using EAP-TLS

ctrl_interface=/var/run/wpa_supplicant
ap_scan=1

network={
 ssid="MU WiFi"
 scan_ssid=1
 key_mgmt=WPA-EAP
 pairwise=TKIP CCMP
 group=TKIP CCMP
 eap=TLS
 identity="xxxxxxxx"
 ca_cert="/etc/certs/MU_CA_cert.pem"
 client_cert="/etc/certs/MU_user_cert.pem"
 private_key="/etc/certs/MU_user_key.pem"
 private_key_passwd="xxxxxxxxxx"
}

When I try to connect using network-manager and my CA cert, syslog shows these errors (similar to bug # 272185):

Nov 3 13:40:12 skink NetworkManager: <info> wlan0: link timed out.
Nov 3 13:40:32 skink kernel: [151455.413757] wlan0: disassociating by local choice (reason=3)
Nov 3 13:40:32 skink NetworkManager: <info> Activation (wlan0/wireless): association took too long.

Revision history for this message
Pedro Villavicencio (pedro) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Could you please add the /var/log/syslog to your bug report as an attachment? Also you can submit more information for it by looking to https://wiki.ubuntu.com/DebuggingNetworkManager , Thanks in advance.

Changed in network-manager:
status: New → Incomplete
Revision history for this message
Pedro Villavicencio (pedro) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to New. Thanks again!.

Changed in network-manager:
status: Incomplete → Invalid
Revision history for this message
AndyL (thelees-andy) wrote :

I am seeing the same issue -- failure to associate due to a self-signed certificate. (at least that's what it looks like to me)

What seems to be the relevant portion of the log is:
Nov 18 09:37:35 my_laptop wpa_supplicant[1587]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Nov 18 09:37:35 my_laptop wpa_supplicant[1587]: TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 2 for '/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority'
Nov 18 09:37:35 my_laptop wpa_supplicant[1587]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
Nov 18 09:37:35 my_laptop wpa_supplicant[1587]: OpenSSL: tls_connection_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Nov 18 09:37:35 my_laptop wpa_supplicant[1587]: CTRL-EVENT-EAP-FAILURE EAP authentication failed

I've attached the full log

Changed in network-manager (Ubuntu):
status: Invalid → New
Revision history for this message
AndyL (thelees-andy) wrote :

I forgot to mention, I am seeing this on Karmic

Revision history for this message
NoBugs! (luke32j) wrote :

I have a similar problem in 10.04, it works when I connect with no certificate, but when I choose the certificate, it doesn't work. The syslog says EAP authentication failed.
In Mac os, it shows a dialog that says something like, there are no specific trust-settings, do you want to accept certificate? However, no dialog asks if I want to accept this server's certificate in Linux, it just seems to automatically reject it.

Changed in network-manager (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.