NetworkManager does not support AES-encrypted private keys for WPA 802.1x authentication

Bug #942856 reported by Walter Mundt on 2012-02-28
This bug affects 3 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)

Bug Description

* Impact

Selecting AES-{192,256}-CBC keys to connect isn't working

* Test case

1. Start with a working (cleartext or DES-3) private key/cert for a network. Set up a connection and verify that everything works.
2. Re-encrypt the key with AES-256 with this command: "openssl rsa -in working-key.pem -out aes-key.pem -aes256" (the output should have a line starting with "DEK-Info: AES-256-CBC,")
3. Delete the settings for the test network and attempt to reconnect using the new key.

That should work

* Regression potential

That's new code for an extra type of keys, it shouldn't impact existing options


NetworkManager does not appear to support private keys encrypted with AES. At the very least, it will not validate such a key in nm-util when setting up a WPA 802.1x TLS wifi connection.

Changed in network-manager:
importance: Unknown → Medium
status: Unknown → New
Tony Espy (awe) wrote :

Walter, could you please add some more details ( Ubuntu release, NM version, ... )?

Changed in network-manager (Ubuntu):
status: New → Incomplete
Walter Mundt (waltermundt) wrote :

Ubuntu Release: 11.10
network-manager version:
network-manager-gnome version:

Anything else I should add?

Tony Espy (awe) wrote :

No I think that's OK for now...thanks!

Changed in network-manager (Ubuntu):
status: Incomplete → New

I think we can already mark this as Confirmed. There are some variations of encrypted private keys that fail to be properly parsed to recognize their type by NetworkManager, there's at least one other bug about this, and it's reproducible on Precise.

Changed in network-manager (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in network-manager:
importance: Medium → Wishlist
status: New → Confirmed
Sebastien Bacher (seb128) wrote :

Those keys are handled since 1.10.10 and Ubuntu 18.10

That update is being SRUed to bionic

Changed in network-manager (Ubuntu):
status: Confirmed → Fix Released
description: updated

Hello Walter, or anyone else affected,

Accepted network-manager into bionic-proposed. The package will build now and be available at in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in network-manager (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Olivier Tilloy (osomon) wrote :

Please test and share your feedback on this new version here, but refrain from changing the verification-needed-bionic tag for now. This new version includes many changes and we want to give it an extended testing period to ensure no regressions sneak in, before it is published to bionic-updates. Thanks!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.