Comment 18 for bug 1501588

7oby (tobias-hain) wrote :

Thanks Mathieu for separating the MTU issues from the PMK key mismatch problems during TLS 1.2 negociation.

I'm facing the latter: and tried to apply this patch:

"EAP-TLS/TTLS/PEAP workaround for incorrect TLS v1.2 MSK derivation"
http://lists.shmoo.com/pipermail/hostap/2015-July/033312.html
https://patchwork.ozlabs.org/patch/493119/

It does work to the extend that it recognizes the key mismatch problems with the Aruba Networks buggy TLS 1.2 implementation that I'm connecting to

"wpa_supplicant[1504]: wlan1: RSN: PMKID mismatch - authentication server may have derived different MSK?!"

According to the above mentioned patch Aruba ClearPass Policy Manager before 6.5.2 has those issues. However the walkaround doesn't seem to work - or I made a mistake appyling the patch. The hostap upstream code for which the patch has been developed differs to some extend from the ubuntu version one.

Therefore two walkarounds remain

a) downgrade wpasupplicant to version <= 2.3 lacking TLS v1.1 support

b) enforcing TLS 1.1 on wpasupplicant 2.4-0ubuntu3.2

$ cat wpa_supplicant.conf

network={
  ssid="YOUR_SSID_HERE"
  key_mgmt=WPA-EAP
  eap=PEAP
  identity="YOUR_USERNAME_HERE"
  password="YOUR_PASSWORD_HERE"
  phase1="tls_disable_tlsv1_2=1"
  phase2="auth=MSCHAPV2"
}

$ sudo service network-manager stop
$ sudo wpa_supplicant -i wlan1 -D wext -c ./wpa_supplicant.conf -dd
$ sudo dhclient wlan1

I didn't find a way to enforce TLS 1.1 via KDEs 5.x GUI interface. And neither to inject the settings directly into network-manager though I think that should work as well. Had to stop network-manager - it wouldn't work otherwise.