Ubuntu
wpasupplicant package

Bug #1967690
Comment #34

Comment 34 for bug 1967690

Revision history for this message

In bugzilla.opensuse.org/ #1195395, Reiokorn (reiokorn) wrote on 2022-02-06:

#34

(In reply to Hans-Peter Jansen from comment #32)
> Meanwhile, I'm pretty confident, this is the culprit:
>
> $ iw phy0 info | grep -A9 'Supported Ciphers'
> Supported Ciphers:
> * WEP40 (00-0f-ac:1)
> * WEP104 (00-0f-ac:5)
> * TKIP (00-0f-ac:2)
> * CCMP-128 (00-0f-ac:4)
> * CCMP-256 (00-0f-ac:10)
> * GCMP-128 (00-0f-ac:8)
> * GCMP-256 (00-0f-ac:9)
>
> while for your working config, it's
>
> Supported Ciphers:
> * WEP40 (00-0f-ac:1)
> * WEP104 (00-0f-ac:5)
> * TKIP (00-0f-ac:2)
> * CCMP-128 (00-0f-ac:4)
> * CCMP-256 (00-0f-ac:10)
> * GCMP-128 (00-0f-ac:8)
> * GCMP-256 (00-0f-ac:9)
> * CMAC (00-0f-ac:6)
> * CMAC-256 (00-0f-ac:13)
> * GMAC-128 (00-0f-ac:11)
> * GMAC-256 (00-0f-ac:12)
>
> For PMF, these are required:
>
> * CMAC (00-0f-ac:6)
> * GMAC-128 (00-0f-ac:11)
> * GMAC-256 (00-0f-ac:12)
>
> Your RTL provides them, our old Intel miss them.
>
> In theory, these ciphers are supplied easily in software, but this requires
> some community intelligence to be realized.
>
> @Dirk: no amount of forcing the connection from NM (Security: WPA/WPA2
> Personal), then tweaking the connection with nmcli does result in a
> successful connect.
>
> If forcing the connection security to "WPA3 Personal", the connection
> settings are:
> 802-11-wireless-security.key-mgmt: sae
> 802-11-wireless-security.pmf: 3 (required)
>
> With WPA/WPA2 Personal:
> 802-11-wireless-security.key-mgmt: wpa-psk
> 802-11-wireless-security.pmf: 0 (default)
>
> Also tried:
> 802-11-wireless-security.key-mgmt: wpa-psk
> 802-11-wireless-security.pmf: 1 (disable)
>
> @B, you can check this yourself with:
>
> $ nmcli connection show
>
> Look up your specific connection.
>
> $ nmcli connection show <uuid>
>
> Specifically:
>
> $ nmcli connection show <uuid> | grep -E 'key-mgmt|pmf'
>
> In my humble opinion, wpa_supplicant should test for sufficient ciphers, and
> not even try to connect with WPA3 otherwise. Will report this to the
> wpa_supplicant mailing list, but need to subscribe first...

why was it possible to connect with the wpa_supplicant version before the update to 2.10 then without issues? The supported ciphers didn't change, did they?

(In reply to Hans-Peter Jansen from comment #32)
> Meanwhile, I'm pretty confident, this is the culprit:
> 
> $ iw phy0 info | grep -A9 'Supported Ciphers'        
>         Supported Ciphers:
>                 * WEP40 (00-0f-ac:1)
>                 * WEP104 (00-0f-ac:5)
>                 * TKIP (00-0f-ac:2)
>                 * CCMP-128 (00-0f-ac:4)
>                 * CCMP-256 (00-0f-ac:10)
>                 * GCMP-128 (00-0f-ac:8)
>                 * GCMP-256 (00-0f-ac:9)
> 
> while for your working config, it's
> 
> 	Supported Ciphers:
> 		* WEP40 (00-0f-ac:1)
> 		* WEP104 (00-0f-ac:5)
> 		* TKIP (00-0f-ac:2)
> 		* CCMP-128 (00-0f-ac:4)
> 		* CCMP-256 (00-0f-ac:10)
> 		* GCMP-128 (00-0f-ac:8)
> 		* GCMP-256 (00-0f-ac:9)
> 		* CMAC (00-0f-ac:6)
> 		* CMAC-256 (00-0f-ac:13)
> 		* GMAC-128 (00-0f-ac:11)
> 		* GMAC-256 (00-0f-ac:12)
> 
> For PMF, these are required:
> 
> * CMAC (00-0f-ac:6)
> * GMAC-128 (00-0f-ac:11)
> * GMAC-256 (00-0f-ac:12)
> 
> Your RTL provides them, our old Intel miss them.
> 
> In theory, these ciphers are supplied easily in software, but this requires
> some community intelligence to be realized.
> 
> @Dirk: no amount of forcing the connection from NM (Security: WPA/WPA2
> Personal), then tweaking the connection with nmcli does result in a
> successful connect.
> 
> If forcing the connection security to "WPA3 Personal", the connection
> settings are:
> 802-11-wireless-security.key-mgmt:      sae
> 802-11-wireless-security.pmf:           3 (required)
> 
> With WPA/WPA2 Personal:
> 802-11-wireless-security.key-mgmt:      wpa-psk
> 802-11-wireless-security.pmf:           0 (default)
> 
> Also tried:
> 802-11-wireless-security.key-mgmt:      wpa-psk
> 802-11-wireless-security.pmf:           1 (disable)
> 
> @B, you can check this yourself with:
> 
> $ nmcli connection show
> 
> Look up your specific connection.
> 
> $ nmcli connection show <uuid>
> 
> Specifically:
> 
> $ nmcli connection show <uuid> | grep -E 'key-mgmt|pmf'
> 
> In my humble opinion, wpa_supplicant should test for sufficient ciphers, and
> not even try to connect with WPA3 otherwise. Will report this to the
> wpa_supplicant mailing list, but need to subscribe first...

why was it possible to connect with the wpa_supplicant version before the update to 2.10 then without issues? The supported ciphers didn't change, did they?

Ubuntuwpasupplicant package

Comment 34 for bug 1967690

Ubuntu
wpasupplicant package